Senator Ron Wyden plans to introduce new legislation that would stop law enforcement agencies from purchasing data they would ordinarily require a warrant or court order to obtain, the Senator's office told Motherboard.
Recently agencies have bought information from the commercial sector, such as location data collected from smartphone apps, that in other contexts would be covered by the Fourth Amendment. But because the agencies purchased the data via a third-party, they did not need to go through the courts, essentially bypassing standard legal protections.
"Americans' constitutional rights shouldn't vanish when the government uses a credit card instead of a court order. Surveillance is surveillance, which is why I am working to close this loophole," Wyden told Motherboard in a statement this week.
Do you know about any other technological products law enforcement agencies are buying? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, OTR chat on firstname.lastname@example.org, or email email@example.com.
Wyden's office explained that the move comes particularly after The Wall Street Journal found a company called Venntel, which buys smartphone location data from marketing companies, sold data to federal agencies, including Immigration and Customs Enforcement. The Department of Homeland Security, Customs and Border Protection, and ICE used the pseudonymised data for border security and other law enforcement efforts, The Wall Street Journal added.
Wyden's office then found that the IRS had used the commercially-sourced data to try and find suspects. The IRS failed to find any suspects during the year it paid for the service, The Wall Street Journal reported.
Typically if a law enforcement official wants to find the physical location of a device, they would need to make a legal request to a telecom provider for related cell tower information, or, for example, to Google for the device's GPS-coordinate history.
Wyden's office added that the legislation, that is planned to be proposed before the August recess, would focus on how the data is legally handled rather than on specific technologies.
Although not necessarily falling under this proposed legislation, on Wednesday Motherboard reported that government agencies have bought previously hacked data of websites from at least one company, including passwords, email addresses, and IP addresses.
Subscribe to our cybersecurity podcast, CYBER.