WASHINGTON — A military arm of the intelligence community buys commercially available databases containing location data from smartphone apps and searches it for Americans’ past movements without a warrant, according to an unclassified memo obtained by The New York Times.
Defense Intelligence Agency analysts have searched for the movements of Americans within a commercial database in five investigations over the past two and a half years, agency officials disclosed in a memo they wrote for Senator Ron Wyden, Democrat of Oregon.
The disclosure sheds light on an emerging loophole in privacy law during the digital age: In a landmark 2018 ruling known as the Carpenter decision, the Supreme Court held that the Constitution requires the government to obtain a warrant to compel phone companies to turn over location data about their customers. But the government can instead buy similar data from a broker — and does not believe it needs a warrant to do so.
“D.I.A. does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,” the agency memo said.
Mr. Wyden has made clear that he intends to propose legislation to add safeguards for Americans’ privacy in connection with commercially available location data. In a Senate speech this week, he denounced circumstances “in which the government, instead of getting an order, just goes out and purchases the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law.”
He called the practice unacceptable and an intrusion on constitutional privacy rights. “The Fourth Amendment is not for sale,” he said.
The government’s use of commercial databases of location information has come under increasing scrutiny. Many smartphone apps log their users’ locations, and the app makers can aggregate the data and sell it to brokers, who can then resell it — including to the government.
It has been known that the government sometimes uses such data for law enforcement purposes on domestic soil.
The Wall Street Journal reported last year about law enforcement agencies using such data. In particular, it found, two agencies in the Department of Homeland Security — Immigration and Customs Enforcement, and Customs and Border Protection — have used the data in patrolling the border and investigating immigrants who were later arrested.
In October, BuzzFeed reported on the existence of a legal memo from the Department of Homeland Security opining that it was lawful for law enforcement agencies to buy and use smartphone location data without a warrant. The department’s inspector general has opened an internal review.
The military has also been known to sometimes use location data for intelligence purposes.
In November, Vice’s Motherboard tech blog reported that Muslim Pro, a Muslim prayer and Quran app, had sent its users’ location data to a broker called X-Mode that in turn sold it to defense contractors and the U.S. military. Muslim Pro then said it would stop sharing data with X-Mode, and Apple and Google said they would ban apps that use the company’s tracking software from phones running their mobile operating systems.
The new memo for Mr. Wyden, written in response to inquiries by a privacy and cybersecurity aide in his office, Chris Soghoian, adds to that emerging mosaic.
The Defense Intelligence Agency appears to be mainly buying and using location data for investigations about foreigners abroad; one of its main missions is detecting threats to American forces stationed around the world.
But, the memo said, the unidentified broker or brokers from which the government buys bulk smartphone location data does not separate American and foreign users. The Defense Intelligence Agency instead processes the data as it arrives to filter those records which appear to be on domestic soil and puts them in a separate database.
Agency analysts may only query that separate database of Americans’ data if they receive special approval, the memo said, adding, “Permission to query the U.S. device location data has been granted five times in the past two and a half years for authorized purposes.”
Mr. Wyden asked Avril D. Haines, President Biden’s new director of national intelligence, about what he called “abuses” of commercially available locational information at her confirmation hearing this week. Ms. Haines said she was not yet up to speed on the topic but stressed the importance of the government being open about the rules under which it is operating.
“I would seek to try to publicize, essentially, a framework that helps people understand the circumstances under which we do that and the legal basis that we do that under,” she said. “I think that’s part of what’s critical to promoting transparency generally so that people have an understanding of the guidelines under which the intelligence community operates.”
Mr. Wyden’s coming legislation on the topic appears likely to be swept into a larger surveillance debate that flared in Congress last year before it temporarily ran aground after erratic statements by President Donald J. Trump, as he stoked his grievances over the Russia investigation, threatening to veto the bill and not making clear what would satisfy him.
With Mr. Biden now in office, lawmakers are set to resume that unresolved matter. The legislation has centered on reviving several provisions of the Patriot Act that expired and whether to put new safeguards on them, including banning the use of a part known as Section 215 to collect web browsing information without a warrant.