US Bought Location Data Without Warrants - ThreatWire
Added 2021-01-26 23:26:09 +0000 UTCWeekly security and privacy news, brought to you by Shannon Morse.
Support ThreatWire! https://www.patreon.com/threatwire
An unclassified memo sent to Senator Ron Wyden’s office as a response to a request for information from Wyden’s senior advisor for privacy and cybersecurity confirmed that the Defense Intelligence Agency (DIA) buys location data from brokers, collected from citizen’s smartphones. This data collection happens whether or not a citizen lives within the United States, and the data isn’t separated based on this location when purchased.
Oftentimes, apps or websites collect this information and sell it to third party data brokers. The data collection is then aggregated into profiles and sent to other parties - like government agencies.
According to the memo, the DIA receives the data from another agency that they fund. The data is global in scope and is not segregated to lists for “US location data” vs “foreign location data”, it’s all just included in one big dataset when they purchase it. The DIA processes and separates out the data based on location and keeps separate databases. The memo also mentions that DIA personnel can only query the US location database when authorized to do so and with approval from the Office of General Counsel, Office of Oversight and Compliance, and the DIA senior leadership. They state that US location data has been queried five times in the past 2.5 years.
The memo includes a second question about how the DIA interprets the Supreme Court’s Carpenter decision, which with the fourth amendment requires agencies to get a warrant before compelling any private company, like a phone carrier, to give them data. They basically say they don’t need a warrant because they aren’t invoking law in order to get the data - they’re buying it from brokers. It says, quote “We confirm that DIA does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes.”
But the DIA goes on to explain that the data they do collect, while not requiring a warrant, is acquired, used, and stored as governed by the DOD Attorney General data handling requirements. It sounds like a loophole in the system. If they buy the data, they don’t have to get a warrant. So they’re buying the data.
Users have some control over what kind of data is collected via apps on their phones. You can go into your OS settings and turn off location data on an app by app basis.
https://www.cnet.com/news/intelligence-agency-buys-location-data-on-us-residents-without-warrants/
https://www.cyberscoop.com/phone-location-data-privacy-dia-dhs/
