Police Quietly Obtain Private Location Data with a Checkbook and not a Warrant

Law enforcement agencies across the country are using a previously unknown tool to purchase highly revealing location data. Existing laws meant to protect the public’s data privacy require police to obtain a warrant to purchase this type of data, but shocking reporting by the Associated Press shows that at least one data broker has helped police to sidestep this requirement.

This troubling revelation demonstrates an urgent need for Congress to strengthen laws protecting the public’s location privacy, particularly following the Supreme Court’s decision in the 2018 case Carpenter v. United States.

In that case, the Supreme Court recognized the importance of limiting the police’s use of historical location information without a warrant. This type of data, the court wrote, gave the government “near perfect surveillance and allow[s] it to travel back in time to retrace a person’s whereabouts, subject only to the five-year retention policies of most wireless carriers.” The court held that Americans have a privacy right to their historical cell phone data since location information is highly revealing, and that it should be protected by, at a minimum, requiring police to obtain a warrant to search.

Nevertheless, police and other government agencies have found their way around these Fourth Amendment protections by simply purchasing information. Just two years after Carpenter, VICE News revealed the Department of Defense had purchased smartphone location data, including data from a Muslim prayer app. Tracking is made possible by smartphone manufacturers who create unique identifiers for the purpose of serving ads. These tracking IDs are then sent back to ad companies and data brokers who combine it with GPS data and other information collected during the routine use of a cell phone. As the Project On Government Oversight has previously written, this is “a practice equivalent to giving a landlord a handful of cash to access someone’s apartment instead of getting a search warrant for it.”

The Department of Defense, Customs and Border Protection, Immigration and Customs Enforcement, and the Federal Bureau of Investigation have all purchased location data, and Congress is investigating these agreements. Congress also introduced the aptly named “Fourth Amendment Is Not For Sale Act,” which would close the legal loopholes and require data brokers to turn over data only in response to legal processes, a requirement that already applies to phone companies.

Congress’s concern about the use of surveillance technologies, including location tracking, has grown even more following the Supreme Court’s June decision in Dobbs v. Jackson, which overturned the constitutional right to abortion under Roe v Wade. Across the country, laws criminalizing abortion access will permit police and prosecutors to dramatically expand their reach and to target those seeking a variety of reproductive health care, including but not limited to abortion.

Recent reporting about a previously unknown data broker, Fog Data Science, creates new urgency for Congress to act. Fog Data Science repackages data tracking information and sells to local police capabilities that had previously only been available to the largest federal agencies. According to a recent report by the Associated Press and public records obtained by the nonprofit digital rights group Electronic Frontier Foundation, police agencies are contracting with Fog Data Science to purchase the ability to quickly and cheaply create “geofences.”

Geofences are a powerful tool for law enforcement to locate cell phones near the scene of a crime without specific evidence that their owners were involved. In other cases, police have issued a subpoena to a cell phone carrier to learn which subscribers carried a cell phone in close proximity to a crime and create a list of suspects based on that data. This was done during the investigation of the attack on the U.S. Capitol on January 6, 2021, in which the Department of Justice brought charges against alleged perpetrators by identifying phone numbers on the grounds and using that information as the basis for further investigations. However, geofences raise unique constitutional concerns as they collect information indiscriminately, including on persons who are not suspected of any criminal wrongdoing. In fact, these geofences captured the data of members of Congress, their staffs, reporters, and first responders who were present on the Capitol grounds during the January 6 attacks as part of their jobs.

In the context of access to abortion, medical care that had previously been legal could be criminalized, and geofences could allow police to locate patients, doctors, administrators, and their suppliers.

As revealed by the public records released by the Electronic Frontier Foundation, Fog Data Science takes this a step further by automating the creation of geofences and allowing police to query any cell phone in a given area. This process allows police to take the unique identifier for a cell phone and follow the phone’s travel over time. In doing so, police can rewind a person’s movement through a city and find other locations to search including their homes, vehicles, and other places of interest.

The ability to track people extends over weeks or even months according to public records published by the Electronic Frontier Foundation. The Missouri State Highway Patrol wrote in an email that Fog Data Science can create geofences for locations for “up to last 180 days.” At the same time, the public is expected to believe that among the billions of signals collected there is no personally identifying information despite the ability of the police to identify the public’s “timelines, travels, last known geographical locations and patterns of life.” In exchange for only a few thousand dollars, governments could place a geofence near a hospital or clinic and go on fishing expeditions to investigate medical care given by doctors to pregnant people or to trans children seeking information about gender affirmation. In the context of abortion, law enforcement could create a geofence around an abortion provider and pinpoint its patients by following them to places such as their homes.

The amount of data for sale to the government, and that data’s ability to reveal personal information about the public, has drastically increased in the years since the ruling in Carpenter. While the court properly understood the need to protect the privacy of historical location data, police quickly found ways to sidestep the warrant requirements imposed by the Carpenter decision. At the same time, our laws are not updated as quickly as the pace of emerging technologies, which creates loopholes that law enforcement exploits. Lawmakers did not foresee police simply purchasing data they would otherwise need a warrant for, and congressional action on needed reforms like the Fourth Amendment Is Not For Sale Act that would help address the problem has stalled. It’s imperative that the government close these loopholes and protect the public’s right to privacy.