A sweeping proposed piece of legislation with support from both Democrats and Republicans will ban law enforcement agencies from buying data from controversial firm Clearview AI, as well as force agencies to obtain a warrant before sourcing location data from brokers.
The news presents significant action against two of the main avenues of law enforcement surveillance uncovered in recent years: the widespread proliferation of facial recognition technology using images scraped from social media, and the warrantless supply chain of location data from ordinary smartphone apps, through middlemen, and eventually to agencies.
"The Fourth Amendment Is Not For Sale Act is, in my view, a critically important bill that will prevent agencies from circumventing core constitutional protections by purchasing access to data they would otherwise need a warrant to obtain," Kate Ruane, senior legislative counsel at the American Civil Liberties Union (ACLU), told Motherboard in a phone call. The ACLU and a host of civil, digital, and race activism groups have endorsed the bill, according to the office of Senator Ron Wyden, which has spearheaded the legislation. "I think it is a clear and good step for Congress to take, and I hope that the bill moves forward quickly,' Ruane added.
Do you work at any of the companies named in this piece? Do you work in the same industries? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on email@example.com, or email firstname.lastname@example.org.
"Doing business online doesn’t amount to giving the government permission to track your every movement or rifle through the most personal details of your life," Senator Ron Wyden told Motherboard in a statement. "There’s no reason information scavenged by data brokers should be treated differently than the same data held by your phone company or email provider. This bill closes that legal loophole and ensures that the government can’t use its credit card to end-run the Fourth Amendment."
Current sponsors of the bill include Sen. Rand Paul, R-Ky., Majority Leader Chuck Schumer, D-N.Y. Sen. Mike Lee, R-Utah, Sen. Steve Daines, R-Mont., Sen. Edward Markey, D-Mass., Sen. Tammy Baldwin, D-Wisc., Sen. Elizabeth Warren, D-Mass., Sen. Sherrod Brown, D-Ohio, Sen. Brian Schatz, D-Hawaii, Sen. Cory Booker, D-N.J., Sen. Bernie Sanders, D-Vt., Sen. Jeff Merkley, D-Ore., Sen. Jon Tester, D-Mont., Sen. Martin Heinrich, D-N.M., Sen. Mazie Hirono, D-Hawaii, Sen. Patty Murray, D-Wash., Sen. Maria Cantwell, D-Wash., Sen. Patrick Leahy, D-VT., and Sen. Richard Blumenthal, D-Conn, according to Senator Wyden's office.
House Judiciary Committee Chairman Jerry Nadler, D-N.Y., and House Administration Committee Chair Zoe Lofgren, D-Calif., will introduce the House version, the office added.
"This critical legislation will put an end to the government’s practice of buying its way around the Bill of Rights by purchasing the personal and location data of everyday Americans. Enacting the Fourth Amendment is Not For Sale Act will not only stop this gross abuse of privacy, but also stands for the fundamental principle that government exists to protect, not trade away, individual rights," Senator Paul said in a statement.
The bill itself is multi-pronged, tackling various surveillance technologies in different ways. For location data, agencies will need to obtain a court order to gather information from brokers rather than simply buying it like a company in the private sector. In February last year, The Wall Street Journal reported that a company called Venntel was selling location data harvested from apps to Immigration and Customs Enforcement and Border Protection. Motherboard then found more sales to CBP, and reported on which specific apps provide data to Venntel. Motherboard also found how multiple software development kits (SDKs)—the bundles of code that collect location data—gathered information from apps marketed towards Muslims. This included Predicio, which was connected to Venntel’s data supply chain. Google banned Predicio from the Play Store after Motherboard's reporting. Google and Apple also banned another SDK called X-Mode from its app stores after one of Motherboard’s investigations.
"It is well past time for Congress to pass a law like this. Despite the Supreme Court’s ruling in Carpenter v. United States in 2018, federal agencies like ICE and CBP still seem to think they don’t need legal process to access location data on millions of people in the United States as long as they can buy it on the open market. That’s wrong, and this bill would make that clear," Jennifer Lynch, surveillance litigation director at the Electronic Frontier Foundation, told Motherboard in an email.
For Clearview and potentially other law enforcement contractors, the bill bans agencies from purchasing data that has been obtained illicitly or through terms of services violations. Clearview's database of images is constructed by the company scraping social media sites. Google, Twitter, and Facebook have all sent cease-and-desist letters to Clearview.
"We look forward to engaging with policymakers on the best ways to protect consumer data and continue to be a resource for domestic law enforcement agencies to battle crimes against children, human trafficking, and domestic terrorism. While we haven’t seen this particular bill yet, we plan to carefully review it and provide feedback if given the opportunity," Hoan Ton-That, CEO of Clearview, told Motherboard in a statement.
Venntel and Babel Street, another firm that sells location data to government agencies, did not respond to requests for comment. ICE and CBP declined to comment on proposed legislation.
"A critically important bill."
"In general, U.S. Immigration and Customs Enforcement’s (ICE) use of Clearview AI’s facial recognition technology is primarily used by Homeland Security Investigations (HSI). HSI’s use of facial recognition and the policies and procedures that have been implemented are for HSI special agents in furtherance of criminal investigations," an ICE spokesperson told Motherboard in a statement.
Motherboard previously reported on how law enforcement agencies have used contractors to purchase hacked website data. The new legislation may prohibit those sorts of sales too, because the data in many cases would have been originally sourced from a criminal hack.
According to the office of Senator Wyden, a wide range of civil rights and technology groups endorsed the legislation, including Access Now, Accountable Tech, American Civil Liberties Union, Americans for Prosperity, Center for Democracy and Technology, Color of Change, Demand Progress, Due Process Institute, Electronic Frontier Foundation, Fight for the Future, Freedom of the Press Foundation, FreedomWorks, Free Press Action, Interactive Advertising Bureau, MediaJustice, Mozilla, NAACP, National Association of Criminal Defense Lawyers, Network Advertising Initiative, Open Technology Institute at New America, Open The Government, PEN America, Project on Government Oversight, Public Citizen, Public Knowledge, Project for Privacy and Surveillance Accountability, Restore the Fourth, Mijente, Just Futures Law, and Brennan Center for Justice.
Update: This piece has been updated to include a statement from Hoan Ton-That, CEO of Clearview AI.
Subscribe to our cybersecurity podcast CYBER, here.