Welcome to New America, redesigned for what’s next.

A special message from New America’s CEO and President on our new look.

Read the Note

Close

shutterstock_756734566.jpg

Solving the Transatlantic Data Dilemma

Table of Contents

Chapter 3: Government Access to Personal Data Held by the Private Sector

Governments can gain access to data held by the private sector in two main ways. They can compel the private sector to hand out data, either by lawful means or by coercion. Or the private sector can give the government voluntary access to data, either by selling out data sets or by offering it to the government voluntarily.

Because governments are increasingly finding this commercial data valuable and obtaining it via one or both methods, a holistic review of surveillance law must include commercial data practices and how intelligence agencies can obtain and handle that data. While we are not aware of the EU-U.S. consultations including these issues, moving forward it would be wise for policymakers to consider the connection between commercial data and intelligence in order to prevent future disputes relating to international data transfers and insufficient privacy safeguards.

Problem Analysis

Compelled Access by Lawful Means

Compelled Access by Intelligence Agencies in Germany1

The BND can compel telecommunication providers that are subject to German jurisdiction to provide access to communications data.2 While strategic foreign telecommunications collection as laid out in §19 BND Act applies to foreign communications only,3 the collection under this provision is not limited to non-German territory. Rather, due to Germany's geographical location in the heart of Europe, routing of foreign communications actually makes up a relevant fraction of overall telecommunication traffic, even in domestic communications networks.4 If the communications of foreign entities or individuals are processed by providers within Germany, the BND can compel them to provide access to this data. Orders need to be issued by the federal chancellery, and the telecommunications firm receives compensation for the incurred costs.5

According to recent European case law, compelled access is only possible if it does not exceed "the limits of what is strictly necessary.”6 Indiscriminate transmission of data by providers of electronic communication services to security and intelligence agencies cannot be considered to fall within these criteria, as the CJEU clarified in its Privacy International v. Secretary of State case, noting: “a legislative measure […] on the basis of which the competent national authority may require providers of electronic communications services to disclose traffic data and location data to the security and intelligence agencies by means of general and indiscriminate transmission […] cannot be considered to be justified, within a democratic society.”7

The CJEU further highlighted the importance of judicial or administrative oversight in its Quadrature du Net ruling. The court stipulated that the following categories of decisions by security and intelligence services need to be subject to an independent court’s or administrative body’s jurisdiction:

  • A decision giving an instruction to providers of electronic communication services to carry out general and indiscriminate retention of data (paragraph 139);
  • Decisions on national security grounds requiring providers of electronic communication services to retain general and indiscriminate traffic and location data (paragraph 168);
  • Decisions authorising automated analysis (paragraph 179);
  • The sharing of real time traffic and location data (paragraph 189); and
  • National rules which authorise automated analysis (paragraph 192).
Suitability Tests

Serious concerns have been raised in this context about the compatibility of the new BND Act with European case law regarding compelled access through so-called “suitability tests.”8 Those bulk collection suitability tests may be conducted by the BND to assess whether a specific provider or network is suitable for strategic surveillance purposes or to assess the relevance of search terms or create new ones. Suitability tests do not require, as is the case in some other democracies,9 ex ante authorization involving independent oversight bodies. An order by the president of the BND is only needed to assess the first purpose (suitability of specific telecommunication networks for bulk collection). Moreover, the duration and volume of the data collection in pursuit of suitability tests is not subject to (effective) limitations.10 While the data collected in the course of suitability tests may generally only be processed for the two purposes, there are important exceptions to this rule when factual indications point to a “significant threat” to individuals or the security of either the Federal Republic of Germany or institutions of either the European Union and its member states, the European Free Trade Association (EFTA) and the North Atlantic Treaty Organization (NATO).11 Force protection of the German military and that of EU, NATO, and EFTA member states also counts as an exception.

Finally, and importantly, the BND may also transmit data from suitability tests automatically (i.e., without further data minimization) to the German Armed Forces12 where no publicly transparent requirements govern the processing, transfer, and deletion of such data. Moreover, it should be borne in mind that the new judicial and administrative oversight bodies created as part of the 2021 reform of the BND Act have no authority over the use of such data by the German Armed Forces.

The described suitability tests represent a “general and indiscriminate transmission” of personal data to the intelligence service, and are therefore likely not to be “necessary and proportionate” as demanded by the CJEU.

Compelled Access in the United States

Law enforcement officials in the United States increasingly seek access to electronic communications, such as emails and social media posts, stored on servers and in data centers. Where law enforcement seeks access to communications, it has a few options, including asking the owner of the device to turn over data voluntarily. More often, law enforcement requests access to data directly from companies. This has led to debate over the extent to which national governments can compel private companies to disclose data, and the degree to which civil liberties and privacy concerns should inform the proper procedure for sharing such data.

In the United States, this debate has largely centered on the Stored Communications Act (SCA), which is part of the broader Electronic Communications Privacy Act (ECPA). Although the SCA generally prohibits certain technology companies from disclosing the contents of electronic communications to third parties, it mandates disclosure to the U.S. government pursuant to a warrant based on probable cause that the communications contain evidence of a crime. As a result, most company privacy policies typically note that they will disclose user data where required by law. However, it may be up to the company to make individual decisions about whether to push back against an overbroad request, or where the legal obligations are unclear.

Currently, the U.S. government relies upon a handful of different laws and mechanisms to compel access to user information, both domestically and internationally. In general, these legal mechanisms and standards ensure that law enforcement and intelligence agencies do not collect Americans’ information unless there is individualized, fact-based suspicion of wrongdoing. The level of suspicion varies depending on the context and the information’s sensitivity, but because suspicionless surveillance violates U.S. constitutional principles, “compelled disclosure” in the United States occurs through a variety of legal mechanisms and processes.

The Fourth Amendment of the U.S. Constitution protects against unreasonable searches and seizures, and gave rise to search warrants, which are mostly based on the government demonstrating “probable cause” that a crime has been committed. National Security Letter (NSL) requests are requests for less sensitive information (i.e., no content of communications) that certain government agencies can make when they are conducting national security investigations, under four different federal statutes.13 Under ECPA, for instance, NSLs compel companies to disclose “the name, address, length of service, and local and long distance toll billing records” of a subscriber to a wire or electronic communications service.14 As discussed earlier, FISA Section 702 authorizes the U.S. government to target non-Americans located abroad and to collect the content of their communications—notably, the Foreign Intelligence Surveillance Court (FISC) does not review individual applications for particular surveillance targets, but instead approves certifications for certain categories of intelligence information such as counterterrorism.15 ECPA outlines the standards and processes under which U.S. law enforcement agencies can obtain electronic communications data from tech companies—the most common method for making such requests is through the use of a subpoena.16

More recently, the CLOUD Act amended Title II of ECPA to address the question of whether U.S. companies must comply with U.S. law enforcement requests for data access, regardless of where the data is being stored.17 The CLOUD Act also enables foreign governments who enter into executive agreements with the U.S. government to submit requests for the content of electronic communications directly to U.S. companies, and vice versa—but no bilateral agreements are yet in place.

Voluntary Access: Commercial Data Purchases

In addition to compelled disclosure, companies may voluntarily hand over data to law enforcement in a variety of circumstances. Commercial data practices are therefore increasingly intertwined with government intelligence. These voluntary access arrangements may include government entities asking for data from companies on a voluntary basis, government simply receiving offers from companies, or even government entities actively purchasing personal data from private entities. Depending on the type of company involved, there may be no legal restrictions related to voluntary disclosure.

Law enforcement and intelligence services are not blind to the availability of this information stream. In the United States, government entities are increasingly finding ways to obtain this data, which pertains to citizens and non-citizens alike. Over the past few years, the media has surfaced numerous instances of U.S. government agencies circumventing Fourth Amendment requirements, and accountability more generally, by buying data from discreet commercial companies known as data brokers.18 While we are not aware of governments’ gaining voluntary access to data outside of purchases, the possibility of voluntary access without any monetary arrangement remains and should also be considered.

The practice of buying data (or gaining other voluntary access to data) means that the government circumvents the need to obtain court orders that would lay out parameters and particularity for the data to be obtained. Accordingly, these private sector practices are not subject to the same judicial oversight, nor are there other oversight mechanisms (congressional or independent) in place to ensure that individuals’ civil rights and civil liberties are upheld. When the government buys data (as opposed to accessing it through compelled disclosure mechanisms), there are no retention or minimization requirements or standards, no requirements that the government delete data unrelated to a certain type of investigation, and no transparency requirements—essentially, there are none of the typical democratic controls or privacy safeguards that governments require by law for intelligence collection.

To bring democratic accountability to intelligence practices moving forward, governments must avoid this trend toward purchasing data, and abide by the legal standards for intelligence collection more broadly. That is, they must obtain warrants or otherwise operate within the compelled disclosure mechanisms outlined above, where there are rules in place. Even then, in many cases rules need to be strengthened or more closely followed by the intelligence community. In the U.S. context, where various agencies (and potentially intelligence agencies) are purchasing data for unknown purposes and using the data in unknown ways, Congress must rein them in by passing a clarifying statute and banning the practice of purchasing data from brokers writ large.

Background on the Industry

The explosion of data collection by data brokers as well as behavioral profiling for the purposes of online advertising has given rise to a thriving marketplace for personal information, much of which is revealing and intimate. The commercial data broker industry is a rapidly growing multibillion-dollar economy made up of companies large and small that aggregate consumers’ information into large datasets by scraping the web or buying data from other companies. This large ecosystem of companies buys, licenses, compiles, analyzes, aggregates, repackages, and sells large sets of personal information—often including very sensitive data such as location information—to anyone willing to pay for it.

A few data brokers have become notorious. ClearviewAI, for example, has been the subject of public scrutiny for scraping publicly accessible photographs, often with names attached, from sites such as Facebook, Instagram, Venmo, and YouTube for facial recognition purposes.19 The New York Times reported in January of 2020 that over 600 law enforcement offices around the United States had used the service in the preceding year.20 Additional reports revealed that the FBI, U.S. Department of Homeland Security, and specifically U.S. Immigration and Customs Enforcement (ICE), had also used the company’s tool.21 But far more data brokers operate in the shadows. As far back as 2013, a U.S. Senate report detailed the threats that the data broker industry posed to consumers, finding that they “operate behind a veil of secrecy.”22

Data brokers repackage people’s personal data mostly to cater to advertisers and retail companies, who can then use it to “microtarget” consumers for online advertising—though such data is also valuable to others seeking insights into consumer behavior, such as hedge funds. The information collected and compiled into datasets can include relationship statuses, whether an individual is pregnant, which medicines an individual takes, and which businesses they frequent. Much of this data, especially location data, can be used to predict user movements, especially when combined with social network data and other analytical tools, making it valuable to advertisers and, in turn, brokers. Of all the data that brokers compile and sell, user location data are among the most sensitive and most profitable, leading to the growth of what has been called a new “location data economy.”23 The purchasers of these datasets maintain that their interest is in the patterns that the data reveals about consumers, rather than individual identities.24 But those with access to the raw data could still use a unique identifier to identify a person without consent. Even without the raw data, one could easily reverse engineer location data by pinpointing a phone that regularly spent time at a certain home address, and using public records to determine who lives there.

Current Relevance: The United States, Germany, and the EU

Though these data are ostensibly collected for commerce, recent reporting suggests that, at least in the United States, government law enforcement agencies are rapidly becoming major buyers. There are numerous troubling recent examples involving location data alone. Motherboard recently revealed that a data broker named X-mode has been compiling geolocation data from a popular Muslim prayer app (Muslim Pro) and a Muslim dating app (Muslim Mingle), then selling this extremely sensitive data to the U.S. military through defense contractors.25 Likewise, according to the Wall Street Journal, the Department of Homeland Security, ICE, and Customs and Border Protection have been using a commercial database from Venntel Inc. to obtain user location data to detect undocumented immigrants and monitor cell phone activity along the U.S.-Mexico border.26 This location information—combined with other surveillance tools—has been used to track, arrest, and even deport immigrants across the country.27 Reports also show that the U.S. Internal Revenue Service also partnered Venntel to identify and monitor suspects in money laundering, cyber, drug, and organized crime cases.28

Because investigative reporting surfaced these issues, lawmakers are now delving deeper into understanding the ever-expanding surveillance ecosystem in the United States and beginning to pinpoint the especially problematic role that data brokers play. For example, in 2020, the U.S. House Committee on Oversight and Reform launched an investigation into Venntel’s practice of brokering location data to government agencies.29 In early 2021, the DHS inspector general also announced that, in response to a request from five U.S. senators—Sens. Ron Wyden (D-Ore.), Elizabeth Warren (D-Mass.), Sherrod Brown (D-Ohio), Ed Markey (D-Mass.), and Brian Schatz (D-Hawaii)—his office would be opening an investigation into DHS’s purchase of Americans’ location data for law-enforcement purposes.30 Through the investigation, one company that collects and sells consumer data for advertising purposes, Mobilewalla, informed the senators that it had indirectly sold information to DHS to track cell phones without warrants, noting that “selling mobile device data for use by law enforcement agencies is not our business model.”31

In the EU, the introduction of the GDPR (and the relevant provisions in the European Convention on Human Rights, and Convention 108) have restricted what data that data brokers can collect and disclose. Article 5 of the GDPR lays out the general principles according to which personal data must be processed and collected: lawfulness, fairness, and transparency; purpose limitation; data minimisation; accuracy; storage limitation; and integrity and confidentiality.

Clear opt-out rights for data subjects and the introduction of a risk-based approach to compliance increase the accountability of data controllers and strengthen the enforcement of data subject rights.32 Purpose limitation is also a significant safeguard, as it forbids that data is collected and sold for a purpose not defined at the moment of collection.33 However, it is important to note that EU-wide rules and directives are not necessarily applied in full in national laws and actual compliance often falls behind.

In comparison to the United States, these enhanced data subject rights substantially limit the supply of data for intelligence purposes and what products governments are allowed to legally acquire through the private sector. There is nevertheless an active market for personal data, and it is highly likely that intelligence agencies in EU countries make use of these kinds of data sources as well and purchase data on the open market. It is moreover important to note that the private sector is not only relevant in providing data, but also plays a crucial role when it comes to profiling and analysis. This is especially relevant in the context of social media and open source intelligence.

Legal Frameworks & Open Questions

Concerningly, the practice of the state purchasing private information from data brokers has been ongoing despite rules from the U.S. Supreme Court that ban the practice. On June 22, 2018, the court handed down its decision in Carpenter v. US, a landmark law enforcement data access case, ruling that under the Fourth Amendment to the U.S. Constitution, law enforcement could not compel a mobile telephone company to turn over the location of a person (for seven days or more) without first obtaining a warrant signed by a judge.34

Prior to this ruling, the Stored Communications Act (SCA) allowed compelled production of customer records under a less stringent standard.35 The Fourth Amendment, which protects against unreasonable searches, was not implicated because the prevailing case law prior to Carpenter held that any information given to or collected by a third party lost the amendment’s protections. The Supreme Court in Carpenter rejected that long-held view and instead decided that, at least when it came to particularly invasive and personal information such as location data held by third parties, individuals should still benefit from Fourth Amendment protections.

Without access to the SCA’s ability to compel records without obtaining a warrant, law enforcement has apparently turned to purchasing those records. As Brennan Center’s Elizabeth Goitein pointed out, “[w]hen the government simply incentivizes the disclosure—by writing a large check—the warrant requirement evaporates.”36 Carpenter only specifically dealt with the actions of law enforcement, and because it was a narrowly written decision, it does not explicitly address U.S. intelligence agencies. Additionally, the U.S. government has remained silent since the ruling on how, or even whether, it will modify its practices, offering no transparency at all on how the intelligence community interprets Carpenter.

Advocates and policymakers have repeatedly pushed for transparency on this very matter—the intelligence community’s interpretation of Carpenter—with little success. In March 2019, a group of senators wrote to the attorney general inquiring about the government's treatment of metadata in national security cases, and whether it has changed in light of the Supreme Court's decision in Carpenter.37 Sen. Wyden, a member of the Senate Select Committee on Intelligence, sent a list of questions to the Department of Defense in May of 2021 related to the purchase of “internet metadata” and received back answers that were classified—DOD did not reply to Wyden’s request to release public answers. Civil society advocates have also called for, at the very least, the government to write and make public a legal memorandum detailing how it interprets Carpenter in the context of the Foreign Intelligence Surveillance Act. After some debate, that transparency measure was included in the House-passed version of the USA FREEDOM Reauthorization Act, though it did not become actual law.38

In Germany, there is no mention of datasets purchased on the private market in the intelligence legislation. The BND Act does not include a provision on the governance and oversight of the service's purchase of data, as the general scope of paragraph 19 of the BND Act is limited to the collection of personal content data (personenbezogene Inhaltsdaten) in the context of strategic foreign communications collection. In fact, when it comes to purchased data, only the general mandate description of the BND in paragraph 1 section 2 of the BND Act seems to apply. Those provisions, however, only cover the collection and analysis of information, and we argue that purchases cannot be sufficiently subsumed under this norm in the absence of further, more detailed provisions on the process, safeguards, and oversight. Commercial acquisition of data, therefore, does not seem to be covered by the comprehensive regulation and oversight regime that the 2021 BND Act reform established.

Not only does the practice of government entities buying citizens’ data undermine constitutional requirements and democratic accountability, but the data that the government is buying may not even be accurate. While advertisers’ reliance upon such information may merely result in improperly targeted ads and wasted ad dollars, some private sector uses of the data and the government’s reliance upon this information can have grave implications. There are many known cases in which individuals were denied housing due to screening companies’ incorrect data, often purchased from brokers or pulled from “people search” broker websites,39 and in which individuals have been rejected from jobs based on background checks with bad data.40 But, due to the lack of transparency, we do not yet have a complete understanding of how purchased data may be used by our intelligence community, and how serious the implications of bad broker data could be in its hands.

One of the biggest barriers to understanding data brokers’ role and impact is the lack of transparency surrounding the industry more broadly—not only for users, but also for regulators. As far back as 2014, the Federal Trade Commission (FTC) called for more transparency around the expansive but largely undiscussed data broker industry. On this front, both Vermont and California have both recently passed laws seeking to shine a spotlight on data brokers, requiring the registration of data brokers operating in those states.41 Similar legislation has been proposed in the U.S. Congress, at the federal level. However, such registration has had little effect in cutting off the data flows of personal information to and from brokers, likely due to how data brokers were defined in the bills, and due to the bills’ broad exemptions.42

Roadmap toward Positive Change

In order to avoid potential loopholes and mitigate the risk of future impasses, it is crucial that policymakers consider not only reforms to traditional government surveillance laws, but that they consider private sector data as well—taking both compelled and voluntary access to commercial data into account.

With regard to compelled access to data held by the private sector through lawful means, policymakers should take into account European case law stipulating that such access must be within the limits of what is strictly necessary and proportionate in a democratic society. The CJEU explicitly excludes indiscriminate and general transmission of data from the private sector to the government. Moreover, the CJEU stressed the importance of judicial and administrative oversight when it comes to compelling the private sector to provide access to data.

When it comes to voluntary access to data, the government’s purchases of data from the private sector are insufficiently regulated in the legal frameworks both in EU countries and in the United States. This legal loophole is potentially being exploited by intelligence agencies, allowing the government to evade accountability. To avoid this, policymakers in the United States and EU need to take swift action to close legislative loopholes, and in the United States, to enact a comprehensive federal data privacy law.

Closing Legislative Loopholes

U.S. Sen. Wyden has been a leading voice on the issue, calling the government practice of buying Americans’ location data a “backdoor to throw the Fourth Amendment in the trash can.”43 For this reason, in early 2021, Sen. Wyden introduced the Fourth Amendment Is Not For Sale Act, which would fill this major gap in statutory law.44 The Wyden bill would prohibit law enforcement and intelligence agencies from purchasing communications content, geolocation information, and other highly sensitive data which it would otherwise need a warrant to obtain. Significantly, the bill also would limit the government’s ability to create new and constitutionally unsound workarounds in the future by establishing that the mechanisms provided in statute (under the Electronic Communications Privacy Act for law enforcement access to Americans’ information, and the Foreign Intelligence Surveillance Act for the intelligence agencies) are the exclusive means by which the government may acquire such information about people in the United States.

Ultimately, the Wyden bill would close the loopholes that the intelligence community currently leans on to buy and acquire metadata about Americans’ international calls, texts, and emails to family and friends abroad without any FISA Court review. Further, the bill would ensure that when intelligence agencies seek to acquire Americans’ location data, web browsing records, and search history, they are required to do so within the framework of the Foreign Intelligence Surveillance Act, and must obtain probable cause orders. (Similar language very nearly passed the Senate in early 2020 via an amendment that Sens. Wyden and Steve Daines (R-Mont.) put forth when Congress considered Patriot Act Section 215 reform legislation.)45

The Wyden bill could be even stronger, but is a very important start. The bill as currently drafted only applies to data purchases, once again leaving a small window that the government could exploit—for example, brokers could still provide data to the government on a completely voluntary basis, without any pay. Such arrangements may be of interest to companies seeking to obtain government contracts, or establish rapport with government entities for other reasons, such as avoiding regulation. Nonetheless, in the near term, Congress should take up and pass Wyden’s legislation to close this loophole, and ideally strengthen it if there is opportunity.

Even though the market for commercially available data is likely far smaller in Germany than in the United States, commercial acquisition of data needs nevertheless to be included in the intelligence legislation. Clear provisions governing this type of government access to personal data are necessary to make sure that governments do not evade safeguards and accountability mechanisms present for other types of access (i.e., warrants needed in the case of compelled access) by simply purchasing data.

Passing Comprehensive Privacy Legislation

In the longer term, a comprehensive data privacy law in the United States could also help—if robust enough. Although the GDPR outlaws sharing data without user consent in the EU, governments may still be able to purchase such data given various exceptions.

In the EU, the GDPR applies to both the public and private sectors and a parallel data protection regulation—the Law Enforcement Directive—applies to “the processing of personal data by competent authorities for the purposes of the prevention, investigation, detection or prosecution of criminal offences or the execution of criminal penalties, and on the free movement of such data.”46 Therefore, a data broker’s obligations would be dictated by the GDPR and a law enforcement agency’s obligations would be dictated by the directive.

The GDPR allows data brokers to share personal data with law enforcement if they have a lawful basis under Article 6.47 The vital interest basis under Article 6(1)(d) could be used if sharing personal data is necessary to protect someone’s life. Otherwise, the public task basis under Article 6(1)(e) could be used if the “processing is necessary for the performance of a task carried out in the public interest or in the exercise of official authority vested in the controller.”48 Data brokers who compile personal data for marketing or other commercial purposes would need to satisfy the purpose limitation principle because sharing personal data with law enforcement is a new purpose.

However, the GDPR contains a crime and taxation exemption that exempts a law enforcement entity from respecting an individual’s data protection rights, including purpose limitation, if compliance would be likely to prejudice the prevention and detection of a crime or the apprehension and prosecution of offenders.49 Therefore, while EU citizens in the EU have substantially more data protection rights than citizens in the US, EU law enforcement agencies are still able to obtain personal data from data brokers if they can establish a lawful basis for processing.

However, no such comprehensive data privacy law exists in the United States, leaving citizens’ data exposed to a range of actors. In the absence of robust federal privacy safeguards, these databases are ready for purchase by predatory actors like loan companies and for-profit colleges,50 law enforcement agencies, and even malicious foreign actors.

It is long past time for Congress to pass comprehensive privacy legislation. While the EU passed the GDPR in 2016 and it took effect in 2018, the United States lags behind. Currently, U.S. law generally relies on “notice and consent” to protect consumer privacy, but this framework does not give individuals real choices about how their data are used, and it is insufficient to protect user privacy.51 There is a strong consensus among stakeholders that we need to replace this model with a new approach that places restrictions on how data can be used and gives users enforceable rights over their personal information.52

Legislation should codify the eight fair information practices developed by the Organisation for Economic Co-operation and Development (OECD), by including safeguards relating to: the legal bases upon which governments may compel access to personal data; requirements that access meet legitimate aims and be carried out in a necessary and proportionate manner; transparency; approvals for and constraints placed on government access; limitations on handling of personal data acquired, including confidentiality, integrity and availability safeguards; independent oversight; and effective redress.53

Finally, comprehensive federal privacy legislation should include all companies that sell data as part of the data brokerage economy. These definitions will therefore be crucial to a federal privacy law’s success. As one expert recently pointed out: “Federal privacy legislation will not be sufficiently comprehensive without substantial attention to the data sales and transfers that underpin the data surveillance economy itself. The entity that directly and initially collects a consumer’s information is often only the first in a long chain that will acquire it.”54 Accordingly, perhaps additional obligations on data brokers can help address the downstream consequences of how personal data can be used by other parties.

Oversight of Data Flows

Finally, comprehensive oversight is needed to follow the flow of data across the private sector (from app developers and platforms to data brokers) and into the public sector (either through compelled access or purchases). These data flows are difficult to follow and have thus far evaded oversight, as few oversight bodies have the broad reach and resources to conduct such a comprehensive review.

The use of commercially available datasets by intelligence services therefore needs to be explicitly included in the intelligence oversight architecture both in Europe and in the U.S. to avoid creative non-compliance. Some countries are already addressing this issue, while many others are far behind. The German legislative framework, for example, does not sufficiently cover such datasets. In the United Kingdom, on the other hand, the oversight body takes the issues of data sets held by the private sector more into account. The Investigatory Powers Commissioner’s Office (IPCO) stated that it has conducted “an extensive review of bulk datasets held by third parties to which U.K. intel community had access,” so as “to provide assurance that BPD (bulk personal dataset) warrants were being obtained where applicable.”55 The newly created Canadian National Security and Intelligence Review Agency (NSIRA) declared in its annual report that it “will examine information sharing with private sector organizations,” and also concretely referred to location data and to the need for warrants even in the case of purchased data.56

In the United States, Congress could conduct an investigation into these issues, and/or the PCLOB could play a larger role in overseeing the data flows between the private sector and government. The PCLOB has not, to date, investigated issues pertaining to the government’s use of commercial data, outside of its collection practices under FISA Section 702 and Patriot Act Section 215. The PCLOB may be hesitant to take up such matters due to the realities of its resources or its jurisdiction (currently “information sharing practices” of the executive branch are listed as within its jurisdiction, but not necessarily with external parties).57 Congress could specifically direct the PCLOB to review not just the information sharing practices of the executive branch, but also the sharing practices between the private sector and the government, which have mostly avoided oversight (with the notable exception of the DHS inspector general taking up the issue).

Citations
  1. The draft of the e-evidence directive at European level (source ) has led to many important discussions about safeguards regarding compelled access by law enforcement agencies (LEAs) to data held by the private sector. For the sake of clarity, and because it exceeds the scope of this report, this section will, however, focus solely on compelled access by intelligence agencies in Germany. For a comprehensive analysis of compelled access by law enforcement agencies from a transatlantic perspective see for example: Theodore Christakis, Fabien Terpan, EU–U.S. negotiations on law enforcement access to data: divergences, challenges and EU law procedures and options, International Data Privacy Law, Volume 11, Issue 2, April 2021, Pages 81–106, source.
  2. §3,4 and 8 BND Act
  3. A separate law, the Article 10 Act, regulates the interception of domestic communications. The Article 10 Act, however, also goes beyond "interception of domestic communications" in that foreign-domestic traffic, i.e., communication that involves both foreign and domestic participants, is regulated in § 5 of the Art. 10 Act. For more information on the Article 10 Act and recent reform attempts, see e.g. Wetzling, Thorsten. “The key to intelligence reform in Germany: Strengthening the G 10-Commission‘s role to authorise strategic surveillance.”source; Vieth, Kilian and Charlotte Dietrich. “New hacking powers for German intelligence agencies.” October 27, 2020. source
  4. For example, the internet exchange point DE-CIX in Frankfurt is one of the largest in the world, with an average overall traffic of more than 6.5 terabits per second at this hub. For more detailed traffic statistics see: source
  5. § 25 BND Act
  6. Court of Justice of the European Union. Privacy International v Secretary of State. October 6, 2020, recitals 78-81. source
  7. Ibid.
  8. Vieth-Ditlmann, Kilian and Thorsten Wetzling. “Caught in the Act?: An analysis of Germany’s new SIGINT reform.” 2021. source
  9. According to Part 4 Authorisations – Subpart 3 – Practice Warrants – Section 91 – Application for issue of Practice Warrant New Zealand's Intelligence and Security Act 2017 establishes a detailed authorization procedure for testing and training warrants that involves the Chief Commissioner of Intelligence Warrants und des Inspector General. See: source
  10. While there is no limitation rewarding the volume of traffic that may be collected by means of so-called suitability tests for either purpose, only the suitability test according to purpose 1 is subject to a six months time limit, which may also be renewed for an unspecified number of times for further six months (§ 24 (2) sentence 2 and 3 BND Act).
  11. § 24 (7) sentence 1 BND Act
  12. § 24 (7) sentence 3 BND Act
  13. Currently, NSLs are authorized under four federal statutes: the Electronic Communications Privacy Act (ECPA) (18 U.S.C. § 2709), the National Security Act (50 U.S.C. § 3162), the Right to Financial Privacy Act (12 U.S.C. § 3414), and the Fair Credit Reporting Act (15 U.S.C. §§ 1681u, v.). NSLs can only be used to collect information that is considered to be less sensitive (e.g., not the content of communications), and must only meet a lower standard of proof, such as relevance to an authorized investigation.
  14. 18 U.S.C. § 2709, “Counterintelligence Access to Telephone Toll and Transactional Records" source
  15. The original types of surveillance orders authorized by FISA require the government to show probable cause to believe that the target is a foreign power or an agent of a foreign power. The FISA Amendments Act of 2008 expanded FISA by, among other provisions, adding Section 702 , which authorizes the U.S. government to target non-Americans located abroad and to collect the content of their communications. Under Section 702 the FISC does not review individual applications regarding particular surveillance targets, but instead approves certifications for certain categories of intelligence information such as counter-terrorism and approves targeting and minimization procedures. Spandana Singh and Meghna Bal, “Bridging the Transparency Gap” New America’s Open Technology Institute and The Esya Centre, Aug. 19, 2021, source
  16. Under ECPA, there are some cases in which the courts recognize that the requirements of the Fourth Amendment can be met with lower standards than probable cause. As a result, a warrant based on probable cause is not necessary and rather law enforcement, depending on how intrusive the data request is, can obtain a subpoena or a court order, such as a D-order, instead. D-orders require a higher standard than a subpoena. They are most commonly used to obtain non-content, transactional customer records such as the addresses of websites that an individual has visited and the email addresses of other people the individual has corresponded with. Electronic Privacy Information Center, "Electronic Communications Privacy Act (ECPA)", source, Spandana Singh and Meghna Bal, “Bridging the Transparency Gap” New America’s Open Technology Institute and The Esya Centre, Aug. 19, 2021, source
  17. This debate was brought up by the Microsoft Corp. v. United States case, as Microsoft refused to turn over data to U.S. law enforcement agencies based on the reasoning that the data was being stored in Ireland.# The passage of the CLOUD Act resolved the dispute between Microsoft and the U.S. government and has now created a more streamlined structure with which U.S. law enforcement agencies can obtain access to data for investigations. Bradford Franklin, Sharon. "The Microsoft-Ireland Case: A Supreme Court Preface to the Congressional Debate." Lawfare. February 22, 2018. source
  18. Goitein, Elizabeth. “The government can’t seize your digital data. Except by buying it.” Washington Post. April 26, 2021. source
  19. Hill, Kashmir. “The Secretive Company That Might End Privacy as We Know It.” New York Times. January 18, 2020. source
  20. Ibid.
  21. Ibid.
  22. Senate Committee on Commerce, Science and Transportation. “A Review of the Data Broker Industry: Collection, Use, and Sale of Consumer Data for Marketing Purposes.” December 18, 2013. source
  23. Advertising market analysts BIA Advisory Services estimated that location-targeted advertising reached an estimated $21 billion in 2018, according to the New York Times. See: Valentino-DeVries, Jennifer et al.. “Your Apps Know Where You Were Last Night, and They’re Not Keeping It Secret.” New York Times. December 10, 2018. source
  24. Newman, Lily Hay. “A Simple Way to Make It Harder for Mobile Ads to Track You.” Wired. September 21, 2019. source
  25. Cox, Joseph. “How the U.S. Military Buys Location Data from Ordinary Apps.“ Vice. November 16, 2020. source
  26. Tau, Byron and Michelle Hackmann. “Federal Agencies Use Cellphone Location Data for Immigration Enforcement.” The Wall Street Journal. February 7, 2020. source
  27. Rivlin-Nadler, Max. “How ICE uses Social Media to Surveil and Arrest Immigrants.” The Intercept. December 22, 2019. source
  28. Lyons, Kim. “Congress investigating how data broker sells smartphone tracking info to law enforcement.” The Verge. June 25, 2020. source
  29. House Committee on Oversight and Reform. “Members Launch Bicameral Investigation Into Company Tracking, Collecting, and Selling Consumers’ Location Data.” June 24, 2020. source
  30. Tau, Byron. “Homeland Security Watchdog to Probe Department’s Use of Phone Location Data.” The Wall Street Journal. December 2, 2020. source
  31. Tau, Byron. “How Cell Phone Data Collected for Advertising Landed at U.S. Government Agencies,” The Wall Street Journal. November 18, 2021. source
  32. Aaron Rieke et al. “Data Brokers in an Open Society.” Open Society Foundation. 2016, p. 22. source
  33. Ibid., p. 22.
  34. Carpenter v. United States, 138 S. Ct. 2206 (2018).
  35. Section 2703 of the Stored Communications Act allows the government to compel disclosure of transactional records based on “reasonable grounds to believe” that the information is relevant. This standard is less stringent than the Fourth Amendment’s “probable cause” warrant requirement. Fernandes, Sean, Supreme Court Addresses Stored Communications Act Cases, American Bar Association, February 15, 2019, source.
  36. Goitein, Elizabeth. “The government can’t seize your digital data. Except by buying it.” Washington Post. April 26, 2021. source
  37. Letter to Attorney General Barr, March 21, 2019. source
  38. H.R. 6172, USA FREEDOM Reauthorization Act of 2020, source
  39. Kirchner, Lauren. “When Zombie Data Costs You a Home.” The Markup. October 6, 2020. source
  40. Melendez, Steven. “When Background Checks Go Wrong.” Fast Company. November 17, 2016. source
  41. Vermont Statute 9 V.S.A § 2430 requires data brokers to disclose information about their activities to the state, which in turn compiles an online database of registered data brokers. See source. In September 2020, California followed suit by introducing California Civil Code § 1798.99.80, which requires data brokers to register with the state. source
  42. For example, the California law defines data brokers as “a business that knowingly collects and sells to third parties the personal information of a consumer with whom the business does not have a direct relationship.” source. This definition articulates a distinction between a firm that is a data broker and a firm that engages in data brokerage, based on whether the firm has a direct relationship with the consumers whose data it is collecting and selling. As a result of this distinction, social media companies such as Facebook would not be considered data brokers if they chose to sell their users’ information to a third party (known as first-party data mining), as they have a direct business relationship with these users. Additionally, many data-selling and data-sharing firms that play critical roles in the data broker industry would also be exempted from the law. Because of this narrow interpretation of what a data broker is, some experts have characterized the California law as limited in its ability to actually reign in the harms associated with the sale of U.S customer information as a whole. See Sherman, Justin. “Federal Privacy Rules Must Get ‘Data Broker’ Definitions Right.” Lawfare. April 8, 2021. source. The Vermont definition is similar to the California definition of data broker, except it also includes firms that license information to a third party. This broader definition of a data broker creates more room to target a range of firms in the data broker industry, and reflects an acknowledgment of the complex data flows that occur between private companies in the country.
  43. Patel, Nilay and Adi Robertson. “Donald Trump Trying to Control the FCC is a ‘Disaster’ Says Sen. Ron Wyden.” The Verge. August 4, 2020. source
  44. Wyden, Ron. “Wyden, Paul and Bipartisan Members of Congress Introduce The Fourth Amendment Is Not For Sale Act.” April 21, 2021. source
  45. Goitein, Elizabeth. “Surprising Senate Vote Signals New Hope for Surveillance Reform.” Brennan Center. May 16, 2020. source; Wyden, Ron. “Wyden Opposes Warrantless Government Surveillance of Americans’ Internet Browsing History.” May 13, 2020. source
  46. Law Enforcement Directive. April 27, 2016. source
  47. Art 6. General Data Protection Regulation. source
  48. Ibid.
  49. Information Commissioner’s Office. “Sharing personal data with law enforcement authorities.” source
  50. As the 2013 U.S. Senate report noted, “a number of [popular data brokers’] products focus on consumers’ financial vulnerability, carrying titles such as ‘Rural and Barely Making It,’ ‘Ethnic Second-City Strugglers,’ ‘Retiring on Empty: Singles,’ ‘Tough Start: Young Single Parents,’ and ‘Credit Crunched: City Families.’” source
  51. Park, Claire. “How ‘Notice and Consent’ Fails to Protect Our Privacy.” New America. Open Technology Institute. March 23, 2020. source
  52. New America. “Principles for Privacy Legislation.” Open Technology Institute. November 13, 2018. source
  53. OECD, Government Access to Personal Data Held by the Private Sector: Statement by the OECD Committee on Digital Economy Policy, December 2020, source
  54. Sherman, Justin. “Federal Privacy Rules Must Get ‘Data Broker’ Definitions Right.” Lawfare. April 8, 2021.source
  55. Bulk Personal Datasets have been widely criticised by privacy organisations as being too intrusive and allowing for an unprecedented accumulation and analysis of data. Independently of the debate regarding BPDs more specifically, we want to highlight the awareness of the oversight body for the need for warrants in these specific cases.
  56. NSIRA. “2019 Annual Report.” 2020. Available at: source content/uploads/2020/12/AR-NSIRA-Eng-Final.pdf, p.46 and p.63.
  57. Hatch, Garrett, Privacy and Civil Liberties Oversight Board: New Independent Agency Status, Congressional Research Service, August 27, 2012, source

Close

Chapter 3: Government Access to Personal Data Held by the Private Sector

View as PDF

Table of Contents

Close

Solving the Transatlantic Data Dilemma