The Defense Intelligence Agency has been using smartphone location data purchased from commercially available databases, according to an intelligence memo obtained by CyberScoop.
The DIA, which primarily provides intelligence to support U.S. military operations, has been gathering the location data on both Americans and non-U.S. citizens dating back two-and-a-half years, according to the memo, which was drafted by the DIA for the offices of Sen. Ron Wyden, D-Ore., states.
The DIA has sought to access Americans’ data and their past movements a total of five times in that time period, according to the memo. The memo did not state the number of times non-citizens’ data was queried.
While the agency did not describe what the searches encompassed, the memo makes clear that the agency is obtaining sensitive location data without a warrant. The Department of Homeland Security’s Immigration and Customs Enforcement previously suggested in a legal memo that government officials could track the locations of immigrants by buying cell phone data from private companies, rather than going trough typical court channels.
Numerous news outlets — including Motherboard and the Wall Street Journal — have detailed ways that the U.S. government obtains user data from data brokers. Privacy advocates have taken notice, and Wyden has indicated he will propose legislation meant to curb the practice.
“There ought to be transparency so that the American people know what kind of surveillance is being conducted on them,” Wyden said in a speech earlier this week on the Senate floor. The intelligence community, “instead of getting an order, just goes out and purchases the private records of Americans from these sleazy and unregulated commercial data brokers who are simply above the law” when they shouldn’t be, he said.
The DIA memo in question does not name which commercial data broker or brokers the DIA is using, only adding that a DIA-funded agency has been purchasing the data. The agency clarified that it separates location data from Americans and foreign nationals into different databases.
The Supreme Court ruled in 2018 in Carpenter v. United States that a warrant is required for phone companies to provide the U.S. government with phone location data. Chief Justice John Roberts, who wrote the majority opinion in that case, noted that although the individuals in that case had a legitimate expectation of privacy with respect to their cell phone location information, the decision was not meant to apply to “business records that might incidentally reveal location information.”
The DIA notes this distinction in its Jan. 15 memo to Wyden, adding that the agency “does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially available data for intelligence purposes,” as the New York Times first reported.
Avril Haines, President Joe Biden’s newly confirmed Director of National Intelligence, told lawmakers earlier this week during her confirmation hearing that she thinks it’s important that Americans have a clear picture of when the U.S. government is buying their private data and under what authorities.
In order to protect the defense industrial base against unwanted location tracking, the NSA itself issued a warning last year about the dangers of mobile devices leaking location data to unwanted parties. In a publication listing mitigations for users concerned about revealing their location to eavesdroppers, the NSA recommended applications, which can aggregate and collect location data they don’t need to function, be given as few location permissions as possible.
“Location data can be extremely valuable and must be protected. It can reveal details about the number of users in a location, user and supply movements, daily routines (user and organizational), and can expose otherwise unknown associations between users and locations,” the NSA warned.