On this episode of Privacy Abbreviated, hosts Dona Frazier, Senior Vice President of Privacy Initiatives at BBB National Programs, and Jason Cronk, chair and founder of the Institute of Operational Privacy Design, are joined by guest Matthew Tokson, professor at the University of Utah College of Law. He joins them to discuss government purchasing of private data.
Dona launches us into the conversation, asking Professor Tokson to define government purchase of private data and share with listeners why there is such a concern.
2:40- Professor Tokson addresses the question by helping us understand that the data he refers to deals with data collected on users of cell phones—mainly via apps used on phones. Usually, the data that is gathered is related to the location. However, it is not limited to location alone. All information collected by different applications or internet usage on a cell phone, such as browsing habits, is encompassed.
Professor Tokson shares that this data is often sold to data brokers and other third parties who can aggregate it in various useful ways. Now, marketers aren’t the only ones purchasing these gems. Government agencies, including law enforcement, also buy the collected data.
In June 2018, the Supreme Court ruled that the government could not track people’s locations via their cell phones in the CARPENTER v. UNITED STATES case. “The government seems to have found this as a way to circumvent some restrictions on information gathering activities … This is sort of a way around that,” Professor Tokson claries.
“Various government agencies, Department of Homeland Security, the DOJ, and all sorts of agencies have purchased location data and other consumer data for law enforcement purposes.” Professor Tokson adds that this has come with a host of interesting legal questions.
The United States customarily addresses privacy law on a sector-by-sector or use-by-use basis, which has led to the inability to pass the few proposed laws to regulate government purchases of private data.
7:00- Location data is being purchased by national security organizations, the National Security Agency, and the Department of Defense’s Intelligence arm. The market for these data blocks was created after the security need that was exposed by the events of 9/11.
Post 9/11, these agencies have become big purchasers of location data, which they buy for national security purposes. When purchased for this intent, the Fourth Amendment may have less to say about it as long as the data is isolated and used solely for national security reasons.
Jason asks Professor Tokson to help listeners understand if location data is the only intel being sold to the government or if there are other data types consumers should be concerned about. He responds that demographic data, subscriber information, and web and email addresses could be sold but aren’t the most consequential cause of concern. He feels that the data point we should pay the most attention to is web traffic data.
13:09- This data is often telling. This entails IP addresses that someone visits and website URLs users explore. “The type of web surfing a person is doing, who they’re communicating with, what kind of websites they’re reading. I don’t know if you’ve ever gone back and looked at your browser history in any given browser, but it’s a personality fingerprint if you look at it. It could trace the contours of your day, your interests, and things like that. It can be very revealing,” Professor Tokson describes.
In true form, Dona always ensures our guests leave insight prominent to the small to medium-sized business (SMB) community. Regarding the topic of government purchases, Dona asked Professor Tokson to share what SMBs should be thinking about and doing. He warns that if you are a company engaged in selling a lot of data to the government or interacting with law enforcement in any cooperative or ongoing way, you could be found as a state actor. What this means is your business would be considered a brand of the government for whatever investigations they’re working on.
If your company is working with the government as a state actor and your activities are found to violate the Fourth Amendment, that could expose you to civil rights liability. The consequences include fees or a warrant request. Suppose you receive a court order or a request for email or phone call records. In that case, it is important to be cautious to comply with the Stored Communications Act and the Electronic Communications Privacy Act. Professor Tokson explains that both laws have different provisions requiring the government to meet specific requirements, including obtaining a court order to request certain information.
Professor Tokson leaves us with a few more recommendations on how to be a business that thoughtfully and lawfully engages in government purchases. He also leaves listeners with his final word, sharing one privacy issue he wished he could solve tomorrow.
“I would really like the Supreme Court to set out a clear-cut test along the lines of their carpenter decision. That would make me a happy professor.”
Listen to the complete episode here.