A couple of days ago the Director of National Intelligence declassified a report written by an advisory group about the dangers of Commercially Available Information (CAI). This is information compiled by private companies and then sold to whoever pays for it—and it includes an astonishing array of data about individuals:
CAI can be obtained from public records, sometimes digitized from paper originals, such as information about real estate transactions that can be found in local title offices or courthouses. It can be obtained from smartphone and other software applications, often in the form of software development kits, that collect information from devices in the U.S. and abroad. And CAI can be obtained from cookies and other methods, sometimes associated with real-time bidding for sales of online advertising, that track end users as they browse the Internet.
....CAI can also be combined, or used with other non-CAI data, to reverse engineer identities or deanonymize various forms of information.
CAI is widely used within the intelligence community, and one of the advisors' biggest concerns is location data. If the federal government wanted to track you or me, it would normally have to show probable cause and get a warrant. But what if you can just buy tracking data instead?
The government would never have been permitted to compel billions of people to carry location tracking devices on their persons at all times, to log and track most of their social interactions, or to keep flawless records of all their reading habits. Yet smartphones, connected cars, web tracking technologies, the Internet of Things, and other innovations have had this effect without government participation. While the IC cannot willingly blind itself to this information, it must appreciate how unfettered access to CAI increases its power in ways that may exceed our constitutional traditions or other societal expectations.
CAI also implicates civil liberties. CAI can disclose, for example, the detailed movements and associations of individuals and groups, revealing political, religious, travel, and speech activities. CAI could be used, for example, to identify every person who attended a protest or rally based on their smartphone location or ad-tracking records. Civil liberties concerns such as these are examples of how large quantities of nominally “public” information can result in sensitive aggregations.
To summarize: (a) CAI is widely available, (b) it can be deanonymized so that it identifies specific individuals, (c) among many other things, it offers tracking data on individuals, and (d) no warrant is required to use it.
What to do? Should government agencies be allowed to use this? If not, does it make sense that literally anybody can use it except for government agencies?
In any case, this is not just theoretical. The Defense Intelligence Agency is already using commercial tracking data, although it segregates US location data into its own database with limited access. Approval for access is apparently rare,¹ but it notably requires only agency approval, not a warrant signed by a judge.
The best answer to this problem would probably be to prohibit commercial collection of location data in the first place. That's not likely to happen, nor is it likely that government agencies will be prohibited from buying commercially available databases. But the second or third best option is to at least require a warrant to use information that would otherwise require it. Unfortunately, Supreme Court precedent on this is fuzzy. It's something they should take up.
¹DIA says that permission has been granted five times in the past two-and-a-half years.
> nor is it likely that government agencies will be prohibited from buying commercially available databases.
But that is precisely the correct solution. PII (personally identifiable information) is supposed to be strongly protected. We do want to allow our automated assistant to know a lot about us, but we don't want the automation sharing that data willy nilly. Thus it should be illegal for anyone who acquires PII to give or sell that data to another party. (Especially in bulk. There are likely carve outs for a piece of automation sharing relevant small amounts of PII with other automation to accomplish a specific task on behalf of the human.)
I can make $200 an hour working on my home computer. {h42 I never thought it was possible, but my closest friend made $25,000 in just five weeks working on this historic project. convinced me to take part. For more information,
Click on the link below... https://GetDreamJobs1.blogspot.com
Interesting timing, Kevin. Today's Seattle Times reprinted an NYT article about the hunt for the person who (allegedly) murdered four Idaho University students in mid-November. PII played a major role in identifying a suspect. And it didn't sound like they relied on search warrants. Surveillance tapes, cell phone tower data, DNA analysis (trace off blood found in the sheath for a K-bar knife, later matched with evidence found in trash, publicly available genealogy records, etc.
How many mass murders have they stopped with this info?
Probably about as many as security cameras have.
Requiring a warrant or preventing the government from using publicly available information makes no sense. The Fourth Amendment makes the government less powerful than a king, not less powerful than private entities. A king could search your home at his whim. A private entity can’t search your home at all. The government can search your home only with a warrant.
But there’s no premise for preventing the government from knowing what any other entity can know.
What makes sense is making it illegal for private entities to have access to this sort of data, and THEN only allowing the government access to it with a warrant.
There’s no such thing as a warrant-free zone. The entire point of the Fourth Amendment is that the government CAN search your private sphere (your home, papers, and effects), but ONLY with a warrant.
You seem to be under the impression that tracking is generally limited to advertisement use. Many auto insurers use devices to collect location data to charge by the mile. Even services like Netflix track your geolocation based on your IP in order to geofence your access to content. Your logins/access to Google and other sites are geolocated so that remote access hacks are trackable. Your proposal would eliminate a lot of services that are widely used.
I'm of the belief that, as a baseline, any collected personally identifiable location data must be deleted after 6 months, if not subsequently anonymized or made retrievable only by the end-user.
But those examples are companies using the data for the purpose of their service, not packaging and collating it for third parties who could be anyone.
That's correct, but the premise offered wasn't to do a GDPR type law; it was to block the commercial collection of location data.
I took it to mean for the purpose of re-selling it, which I think should be banned, and, however hard that might be, focusing attention on the issue will be an improvement.
Prohibiting selling (as opposed to collecting) does have the downside that it tilts the playing field in favor of large companies (who are in a position to collect more data themselves) and against small companies (who won't be able to compensate for their small size by buying data from third parties). But it still may be the best option.
It's not really a problem until it becomes a tragedy.
Standard operating procedure for modern human society.
The default should always have been that information was protected. Instead, the default was anything goes and putting that genie back in the bottle is going to be pretty close to impossible.
This is also way more pervasive than most people realize. I remember years ago when the company that processed our checks started selling employment verification (salary info too) because they could. Your car tracks you, it's not just Tesla, you've got a phone plugged into AA/CarPlay, right, and all the rest of the manufacturers track too.
Police departments put up generic license plate readers, so everyone that drives by it gets captured. Information from public sources get aggregated in ways that can be tracked, although not always accurately.
Hell, everything you do is tracked. DoD is just doing what everyone else is doing.
"does it make sense that literally anybody can use it except for government agencies"
Why not? Isn't that the point of the Bill of Rights? Your employer can search your locker without a warrant. The government cannot. In many states, you can be fired because it's Tuesday. But the government cannot put you out of your job without due process. There are quite a few powers that are legitimate for private individuals and businesses but not for the government.
That said, it would be best to have a real data privacy law. I do everything I can think of to thwart tracking. But if we were to get that, suddenly all the things we get for free will cost money -- Maps, Social Media, Email, Search -- you name it.
Nobody has the right to search your locker without the permission of the the owner of the locker, except the government can do that if it obtains a warrant. Nobody other than your employer can fire you. So those aren't examples of things that anybody can do.
See Slashjc's comment above.
An article in Scientific American advocates regulation at the source:
Science Shouldn’t Give Data Brokers Cover for Stealing Your Privacy
Just to make clear what is already easily and cheaply available--this example stuck with me because it was presented as an obvious good idea in a marketing meeting I attended. A casino executive was talking about their marketing planning and analytics, and mentioned that "we just bought a data set showing where every phone that had been in the casino in the last month spends the day, and spends the night; then we used the information to target our mailings."
You did read about the conservative Catholic group outing priests who used Grindr?
This was inevitable as soon as we all started carrying smart phones.
So, as it turns out, there is a Santa Claus.
>Unfortunately, Supreme Court precedent on this is fuzzy. It's something they should take up.
Is it though? I think the current doctrine does not protect this information and it's not especially close.
By golly, there was not law against tracking people using their cell phones when the constitution was adopted, so there can't be one now!
/s
The Third Party Doctrine has been around for a very, very long time. These types of records are just not **YOUR** persons, houses, papers, and effects. These are business records created by third parties.
These records are also protected by the Stored Communications Act which provides an incremental layer of privacy protection above that required by the Fourth Amendment.
I find it ironic that we worry about the government accessing this data, yet ignore the tech and other companies and data brokers who collect and monetize this data. I am 61 years old and often talk to millennials about over-sharing with big data entities. Almost to a person they respond that they don't care because they're not doing anything wrong. I don't understand that position. The price of admission to utilizing a smartphone, smartwatch, and many other services and apps these days is often data-sharing and location tracking (even if you opt-out of almost everything). We need laws, like the European and California data laws, to regulate the collection and dissemination of data like this. To quote another commenter, I doubt that the "genie" can be put back into the bottle, but that's no reason not to start working on this problem.
Pingback: Our government can track us, really, really easily. - Privacy Parent