Memo notes location-data purchases

Agency says no warrants used in searching smartphone logs

WASHINGTON -- A military arm of the intelligence community buys commercially available databases containing location data from smartphone apps and searches it for Americans' past movements without a warrant, according to an unclassified memo obtained by The New York Times.

Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past 2½ years, agency officials disclosed in a memo they wrote for Sen. Ron Wyden, D-Ore.

The disclosure sheds light on an emerging loophole in privacy law during the digital age: In a landmark 2018 ruling known as the Carpenter decision, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers. But the government can instead buy similar data from a broker -- and does not believe it needs a warrant to do so.

"DIA [Defense Intelligence Agency] does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes," the agency memo said.

Wyden has made clear that he intends to propose legislation to add safeguards for Americans' privacy in connection with commercially available location data. In a Senate speech this week, he denounced circumstances "in which the government, instead of getting an order, just goes out and purchases the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law."

He called the practice unacceptable and an intrusion on constitutional privacy rights. "The Fourth Amendment is not for sale," he said.

The government's use of commercial databases of location information has come under increasing scrutiny. Many smartphone apps log their users' locations, and the app-makers can aggregate the data and sell it to brokers, who can then resell it -- including to the government.

It has been known that the government sometimes uses such data for law enforcement purposes on domestic soil.

The Wall Street Journal reported last year about law enforcement agencies using such data. In particular, it found that two agencies in the Department of Homeland Security -- Immigration and Customs Enforcement, and Customs and Border Protection -- have used the data in patrolling the border and investigating people who were later arrested.

In October, BuzzFeed reported on the existence of a legal memo from the Department of Homeland Security opining that it was lawful for law enforcement agencies to buy and use smartphone location data without a warrant. The department's inspector general has opened an internal review.

The military also has been known to sometimes use location data for intelligence purposes.

In November, Vice's Motherboard tech blog reported that Muslim Pro, a Muslim prayer and Koran app, had sent its users' location data to a broker called X-Mode that in turn sold it to defense contractors and the U.S. military. Muslim Pro then said it would stop providing data to X-Mode, and Apple and Google said they would ban apps that use the company's tracking software from phones running their mobile operating systems.

The new memo for Wyden, written in response to inquiries by a privacy and cybersecurity aide in his office, Chris Soghoian, adds to that emerging mosaic.

The Defense Intelligence Agency appears to be buying and using location data mainly for investigations about foreigners abroad; one of its main missions is detecting threats to U.S. forces stationed around the world.

But, the memo said, the unidentified broker or brokers from which the government buys bulk smartphone location data does not separate American and foreign users. The Defense Intelligence Agency instead processes the data as it arrives to filter those records that appear to be on domestic soil and puts them in a separate database.

Agency analysts may query that separate database of Americans' data only if they receive special approval, the memo said, adding, "Permission to query the U.S. device location data has been granted five times in the past 2½ years for authorized purposes."

Wyden asked Avril Haines, President Joe Biden's new director of national intelligence, about what he called "abuses" of commercially available locational information at her confirmation hearing this week. Haines said she was not yet up to speed on the topic but stressed the importance of the government being open about the rules under which it is operating.

Upcoming Events