How US Spy Agencies Buy Personal Data

How US Spy Agencies Buy Personal Data

Despite stringent laws restricting the government’s surveillance of American citizens, intelligence agencies have found a new, more straightforward path to data acquisition.

Since the 1970s, the United States has implemented laws to restrict the government’s surveillance of American citizens through wiretaps, cyber espionage, and physical tracking. But recently, intelligence agencies have discovered an easier way to procure data. The U.S. government regularly purchases vast amounts of data from smartphones, social media platforms, automobiles, and location trackers, according to a report released in July by the Office of the Director of National Intelligence (ODNI). 

The Role of Commercially Available Information (CAI)

Commissioned by Director of National Intelligence Avril Haines and completed in January 2022, the report constitutes the first time the U.S. government has investigated how federal agencies use commercially available data (CAI). Notably, Senator Ron Wyden (OR), who has warned about the potential transformation of the U.S. into an “irreversible surveillance state” with the growth of personal data collection, has long been campaigning for an investigation.

Bypassing Privacy Measures: Legal Loopholes Exploited

The report highlights the way the government is sidestepping measures put in place to protect the privacy of collected data. For instance, while acquiring access to a device’s location typically requires a judge’s signature under the Fourth Amendment, the government sidesteps this requirement by paying for the tracking of millions of Americans’ phones.

Real-world Consequences: From Public Shaming to Business Intelligence

This loophole is technically legal, according to the government, because the data is “publicly available.” US spy agencies and other government bodies also assert that CAI based on smartphone location or ad-tracking records is “anonymized,” before being made available for sale. But the report clarified that it is relatively easy “to deanonymize and identify individuals.” This means the government can identify participants at a protest or rally, for example, raising concerns that the same data could also be turned against Americans for the purposes of blackmail, stalking, harassment, and public shaming.

For instance, a Catholic priest was exposed in 2021 by Catholic news outlet Pillar with the help of data from the dating app Grindr. While it is unclear how Pillar accessed the data, Grindr was fined earlier this year by Norway’s Data Protection Authority for giving information about its users to several advertising companies, including their precise locations and user tracking codes, according to the Norwegian Consumer Council. A 2018 BuzzFeed News investigation found that Grindr shared users’ HIV statuses, locations, email addresses, and phone identifiers with two other companies.

The Role of Private Companies in Government Surveillance

But public shaming is just the tip of the iceberg when it comes to using CAI. Most buyers of data are marketing firms, hedge funds, well-known companies, and others who say that the data is used for business purposes, like deciding where to build a retail store. But some third-party companies, such as Babel Street and Locate X, also cater to law enforcement, the military, intelligence agencies, and defense contractors, often through a private company that is contracted to that agency. With such access, federal agencies can query and filter data about the movements of billions of people at once. 

Case Study: How Federal Agencies Use CAI

For example, they can start from a single time and place, analyzing the data on the movements of countless people simultaneously to uncover detailed information about their residences, workplaces, and travel patterns. Notably, the U.S. Special Operations Command (USSOCOM), who deal with counterterrorism, counterinsurgency, and special reconnaissance, purchased access to Locate X to assist on overseas special forces operations. 

The report reveals that government agencies often use contracts with private companies to purchase personal data. For example, the Defense Intelligence Agency contracts with LexisNexis, the Navy collaborates with Sayari Analytics, and the FBI has partnered with cybersecurity company ZeroFox for social media alerts. Additionally, the Department of Homeland Security has used Web of Science, a clearinghouse for academic studies, to identify foreign researchers working in the US who were tied to their home country’s militaries.  

A Call to Action: How to Protect Our Privacy Rights

Senator Wyden and others are sounding the alarm about the secret purchase of location and other digital data by agencies with the power to surveil and prosecute Americans. He recently urged Congress to pass legislation to “put guardrails around government purchases, to rein in private companies that collect and sell this data and keep Americans’ personal information out of the hands of our adversaries.”

While this report sheds light on the complexities and ambiguities of government surveillance in the digital age, it is clear that we cannot remain passive spectators. As technology advances, so must our understanding and regulation of its use, especially when it pertains to our privacy. If you are concerned about these revelations, remember that your voice matters.

Educate yourself about digital rights and privacy legislation. Contact your elected officials and express your concern about these practices. Demand transparency in how your data is used and protection against its misuse. Consider supporting organizations that advocate for digital privacy, like the Electronic Frontier Foundation (EFF) and the American Civil Liberties Union (ACLU).

We, as citizens, have the power to shape the digital future. Let us ensure that is a future where privacy rights are not just an afterthought, but a fundamental principle. Remember, our personal data tells the story of our lives, and it is a story we should have control over.

For additional resources and guidance, the Interfor team is here to help.