Georgetown Law
Technology Review

Several agencies of the federal government have been purchasing cellphone location data without a warrant from a third-party company, Venntel. This development implicates new privacy questions that have not been properly addressed by the judiciary or legislation. The Department of Homeland Security (DHS), along with its divisions Immigration and Customs Enforcement (ICE) and Customs and Border Patrol (CBP), have used this data for immigration enforcement. These uses include ICE locating undocumented immigrants who were later arrested and CBP searching for cell activity near remote areas on the U.S.-Mexico border.

Venntel licenses subscriptions to their database of location data. Last year alone, CBP bought over $1 million in licenses from Venntel. The Drug Enforcement Agency has also reportedly purchased data from Venntel, though its uses are still unknown. This data comes from a variety of phone applications—such as gaming or weather apps—that users download and provide with their location data. Users generally consent upon first opening an app, but few ever read the policies regularly. Even so, the average user likely won’t refrain from accessing the weather just to avoid relinquishing their personal data. In a 2019 survey of 727 app users who allow location tracking, 15% said they were uncomfortable with location tracking, and of those, 31% want complete privacy from companies. But despite this desire, these users—in addition to all of the other survey respondents—allow apps to track their location, suggesting privacy concerns alone may not be enough to turn users away from a location tracking app.

By purchasing these subscriptions, the federal government is circumventing the Supreme Court’s 2018 decision in Carpenter v. United States. Carpenter prohibits law enforcement from obtaining seven days of historical cell site location information of an individual directly from cellphone companies without a warrant. A possible open issue after Carpenter may allow the government to bypass this requirement for a warrant through its contract with Venntel. The data obtained in Carpenter was directly from a cellphone company and revealed personal information about Carpenter. Here the government is acting like a private company, purchasing data from a third party rather than the cellphone company. The Supreme Court has not addressed directly whether purchasing cellphone location data derived from phone applications from a third party implicates the Fourth Amendment.

Another way that police officers have been able to obtain location information is through use of stingray devices. Law enforcement agencies throughout the country have used stingrays for years to determine the location of a suspect. These devices are cell-site simulators, which emit cell signals that replicate a cell tower and get cellular devices to connect. Stingrays can be used to locate a known cellular device or to identify devices in a particular location. This second use implies that stingrays connect to the devices of bystanders who happen to be in the area being searched, regardless of whether they are a suspect.

In addition to location information used to identify a suspect, a stingray is capable of collecting contents of communication from devices, and how federal and state governments address that capability differs. The Department of Justice (DOJ) released guidance stating that federal law enforcement agencies will not use stingrays for this purpose, and as a matter of policy, DOJ moved from traditionally requiring an order under the Pen Register Statute to requiring a warrant for stingray use, but this policy is limited to federal agencies. But, as of 2018, these devices are used by state and local agencies in over half of the states, with only about a third of states requiring a warrant.

Nathan Wessler, a lawyer for the ACLU who argued Carpenter, has argued that while the government and Venntel may be circumventing Carpenter, the apps providing the location data to Venntel could also be liable for knowingly providing the data to the government. The liability arises from a 1986 statute: the Stored Communications Act. The statute prohibits online providers of computing or communication services from “knowingly divulg[ing]” a customer’s data to a governmental entity. Depending on the type of apps Venntel collects the data from, a court could find that an app violated the statute if it knew Venntel was going to sell the data to the government.

Venntel’s database of location data is allegedly “pseudonymized,” which means each cellphone that is logged has a unique identifier that is not directly connected to the cellphone user’s name. However, previous reports have shown that even anonymized location data can provide enough information to identify a person based on his or her whereabouts over a period of time. CBP alleges that they protect privacy when using the cellphone location data. But DHS and its divisions provided little information about how they actually use this data, raising the questions about how they can ensure privacy. The location data can theoretically be used to track anyone whose data was sold, and private, personal information can be deduced from analyzing this data. It remains unclear what oversight—if any—agencies have in place to make sure these lines are not crossed.

Unless the courts address this particular use of location data by the government, only time will tell how the data will be used. A DOJ policy requiring a warrant for stingray use helps protect law-abiding Americans who happen to be in the location being searched from unnecessary surveillance. In a similar vein, a federal statute preventing apps or companies like Venntel from sharing personal data with the government without a warrant may be the next step toward properly recognizing the privacy of cellphone data. For now, consumers might want to think about the extent to which we should turn off data location access on our phone apps or actually read the privacy policy before we download the app.