U.S. Spy Agencies Know Your Secrets. They Bought Them.
Commercial data brokers are providing the government with personal information that might otherwise require search warrants. Should that be allowed?
Last November, Michael Morell, a former deputy director of the Central Intelligence Agency, hinted at a big change in how the agency now operates. “The information that is available commercially would kind of knock your socks off,” Morell said in an appearance on the NatSecTech podcast. “If we collected it using traditional intelligence methods, it would be top secret-sensitive. And you wouldn’t put it in a database, you’d keep it in a safe.”
In recent years, U.S. intelligence agencies, the military and even local police departments have gained access to enormous amounts of data through shadowy arrangements with brokers and aggregators. Everything from basic biographical information to consumer preferences to precise hour-by-hour movements can be obtained by government agencies without a warrant.
Most of this data is first collected by commercial entities as part of doing business. Companies acquire consumer names and addresses to ship goods and sell services. They acquire consumer preference data from loyalty programs, purchase history or online search queries. They get geolocation data when they build mobile apps or install roadside safety systems in cars.
But once consumers agree to share information with a corporation, they have no way to monitor what happens to it after it is collected. Many corporations have relationships with data brokers and sell or trade information about their customers. And governments have come to realize that such corporate data not only offers a rich trove of valuable information but is available for sale in bulk.
Immigration and Customs Enforcement has used address data sold by utility companies to track down undocumented immigrants. The Secret Service has used geolocation data to fight credit card fraud, while the Drug Enforcement Administration has used it to try to find a kidnapping victim in Mexico. A Department of Homeland Security document revealed that the agency used purchased location data from mobile phones to “identify specific stash houses, suspicious trucking firms in North Carolina, links to Native American Reservations in Arizona, connections in Mexico and Central America which were not known and possible [accomplices] and international links to MS- 13 gang homicides.” And one government contractor, as part of a counterintelligence demonstration, used data from the gay-themed dating site Grindr to identify federal employees having sexual liaisons on the clock.
Whatever the U.S. can do with commercial data, foreign governments can do too. Last week, President Biden signed an executive order to prevent certain adversary countries, especially China and Russia, from buying bulk commercial data sets about Americans, including genetic information and personal movement information. But the order didn’t address the issue of how the U.S. government itself uses commercial data to get around constitutional protections for civil liberties. That issue is now before Congress as lawmakers consider reauthorizing a key surveillance law, prompting a debate over whether it’s appropriate for government and corporate power to become so intertwined.
In January 2022, a group of advisers convened by the U.S. Director of National Intelligence issued a report on the changing nature of intelligence. The report, withheld from the public for nearly a year and a half, concluded that “Today, in a way that [few] Americans seem to understand, and even fewer of them can avoid,” governments can purchase “information on nearly everyone that is of a type and level of sensitivity that historically could have been obtained, if at all, only through targeted (and predicated) collection.”
Earlier generations of data brokers vacuumed up information from public records like driver’s licenses and marriage certificates. But today’s internet-enabled consumer technology makes it possible to acquire previously unimaginable kinds of data. Phone apps scan the signal environment around your phone and report back, hourly, about the cell towers, wireless earbuds, Bluetooth speakers and Wi-Fi routers that it encounters.
The National Security Agency recently acknowledged buying internet browsing data from private brokers, and several sources have told me about programs allowing the U.S. to buy access to foreign cell phone networks. Those arrangements are cloaked in secrecy, but the data would allow the U.S. to see who hundreds of millions of people around the world are calling.