What Your Digital Footprint Reveals and Who is Watching

Online data collection practices have come under scrutiny in recent years, with greater attention to the ethical implications of such practices. Many are realizing the extent of surveillance practices and what entities are using information collected by web browser cookies and tracking technology. Greater public attention has led to more significant data policy discussions: the Federal Trade Commission (FTC) has recently voiced concerns about the private sector’s data collection practices and was seeking public comment on the harms attributed to commercial surveillance practices. The White House also released a blueprint for an AI Bill of Rights that included data privacy as one of its five main pillars. Concerns about data collection, use, and sharing practices are not limited to the private sector – government access to digital records has come under scrutiny recently, spotlighted after the Supreme Court decision in Dobbs.

Policymakers must now get to the root of data collection, use, and sharing issues. This piece highlights some of the major pain points discussed among lawmakers, civil society, industry, and experts in the field. We review law enforcement’s use of court orders to gain information from some of the largest tech companies, thanks to publicly released reports. Then we examined how data brokers sell individuals’ personal information to governments for profit. Finally, we explored legal and policy challenges in this new digital age, focused around four main areas: privacy, security, transparency, and Fourth Amendment rights.

Public Sector Data Sharing and Transparency Reports

Starting as early as 2010, some companies began voluntarily releasing the number of government requests they received to disclose data about their users. This disclosure practice offers the public some transparency into government requests for online information and how often companies actually comply with those requests made by law enforcement. Transparency reporting soon became an industry-wide practice, even predating the 2013 NSA surveillance revelations that left the public skeptical of governments’ surveillance practices. Requests for information often come in the form of a subpoena or search warrant but, in some instances, can be made without a court order in the form of an emergency disclosure request. They may also target multiple or many accounts in a single information request.

Large technology platforms retain a wealth of information about people that may be desirable to external actors. Between January and June 2021, U.S. law enforcement issued:

• 63,657 requests for information from Meta (formerly Facebook), covering 111,117 user accounts (out of approximately 233 million U.S. accounts in 2021)
• 50,907 requests from Google, covering 115,594 user accounts (out of over 246 million unique U.S. visitors in 2021)
• 27,809 requests from Microsoft
• 18,742 requests from Snap Inc. (parent company of Snapchat)
• 3,000 requests from Twitter
• 577 requests from TikTok

In all, 164,692 requests were made in the first six months of 2021 from these six companies alone, targeting over 268,437 user accounts. The companies produced at least some data for most of these requests.

To understand how often law enforcement agencies take advantage of information collected by technology companies and the discretion used by them in satisfying these requests, we analyzed transparency reports from six companies consumed in this surveillance debate. Meta, Google, Microsoft, Snap Inc., Twitter, and TikTok have disclosed a wealth of knowledge to the public, allowing us to perform this analysis. Using law enforcement requests for user information data and accompanying information, we can assess general trends in government surveillance over the decade as they impacted these six companies. Overall, we found three important trends from this data:

1. U.S. law enforcement is making more requests for user information year over year;
2. The total user accounts affected may be twice that of the number of law enforcement requests and increasing at a faster rate; and
3. The compliance rate with these requests has stayed somewhat constant throughout the years averaging around 80%.

In Figure 1 below, we visualize these trends using six-month reporting periods. The first tab, “User Data Requests,” indicates the total requests for user information from U.S. law enforcement during each reporting period. The second tab, “Total Accounts,” shows how many users are subject to these requests, often totaling nearly double the number of requests filed. It’s important to note that these numbers only reflect the requests that six companies receive and while they may represent major trends, they are not totals across the entire tech sector.

Figure 1: Information Requests and Total Accounts Reported by Six Tech Companies

Notably, government requests for information from major tech companies have steadily increased over the years. Facebook and Google received considerably more requests than the other companies in every report, largely due to their enormous user bases. From these two companies, government requests for information between the first half of 2013 to the same period in 2021 increased by 411%. The number of user accounts requested by law enforcement during this period also increased by 437%.

These transparency reports also reveal user data is generally shared around 80% of the time it is requested. Figure 2 shows the six companies we analyzed reliably turned over most data requested by law enforcement. The companies determine legal or valid requests and what data should be shared or withheld. The decision-making power companies have in these scenarios came to light in 2006 when Google refused to comply with a U.S. Justice Department subpoena requesting records of potentially billions of search queries performed on the server over a one-week period. The government was developing a defense of the constitutionality of the Children’s Online Privacy Protection Act (COPPA) and received records from several other search engines. Google objected to the request on the grounds that it was overbroad, an invasion of its consumers’ privacy, and to protect company trade secrets.

Figure 2: Requests for Information Compliance Rate by Six Tech Companies

Data Brokers and Data Purchasing

Despite some technology companies’ efforts to offer transparency into their data sharing practices, much of the data collected by law enforcement and intelligence agencies still lack visibility. In a letter to DHS, DOJ, and DOD Inspectors General, Senator Ron Wyden (D-OR) revealed that his lengthy investigation into data purchasing practices “confirmed that multiple government agencies are purchasing Americans’ data without judicial authorization, including the Defense Intelligence Agency and Customs and Border Protection (CBP).”

Data brokering is a huge industry, and efforts to curtail its vague data sharing practices have proven difficult. Data brokers, or businesses that aggregate consumer information from various sources, usually sell this information to advertisers or governments. However, they do not provide the public with the same level of transparency. The data they share with law enforcement and intelligence agencies is a valued resource when responding to crimes or determining threats. It can even be the key to someone’s safety in time-critical situations. Larry Cosme, the president of the Federal Law Enforcement Officers Association, referenced his experience using information gathered from data brokers to help the Department of Homeland Security solve and prevent a child exploitation case and argued that a warrant would have taken too long. A common person-search product, created by LexisNexis and used by law enforcement, touts its ability to reduce crime rates while enhancing officer safety. Data analytics can help law enforcement anticipate crimes and events and prevent them from happening.

If used maliciously, the information data brokers sell can harm individuals. Unwarranted data sharing can be especially risky or dangerous when it exposes vulnerable populations. Minority groups already susceptible to harassment or discrimination may face greater risks from the sharing of personal or identifiable information. The Open Society Foundation reported that data obtained from brokers that includes small errors may lead to big mistakes in policing practices. The same report also indicates that “the use of data broker tools can exacerbate existing biases in policing and the broader criminal justice system.”

Large databases maintained by brokers may also risk national security or democracy. Data brokerage threatens national security when malicious actors can obtain the whereabouts or information of military personnel, veterans, or their relatives. Justin Sherman, the co-founder of the Ethical Tech Program at Duke University, warns data purchased from brokers could expose senior military personnel to “information operations, coercion, blackmail, or intelligence-gathering.” He also warns the voter profiles sold by data brokers, often used to inform political campaigns’ strategies, can also be used by foreign adversaries to spread misinformation and disinformation or influence U.S. elections.

Legal and Policy Considerations

Privacy

Privacy rights questions have come into the spotlight recently, in part due to the Supreme Court decision in Dobbs. It is now apparent to the general public that sensitive information, such as their whereabouts online, can be used and misused as the basis for prosecution or persecution. An opinion writer in Bloomberg Law wrote, “As Dobbs demonstrates, governments and many of our neighbors are incredibly interested in our private lives. Data collection can provide far too much insight into our personal choices to the last people we would want to know.”

The sensitivity of the information people put online is often undervalued. Location data, for example, can give precise information that helps with navigation systems or fitness trackers and can be used to make more useful commercial recommendations. Geolocation data could also be used as evidence in a crime. A “geofence warrant” casts a wide net over devices accessed within a radius of a certain location, giving law enforcement a group of suspects to then narrow down from. Geofence warrants successfully identified individuals involved in the riots at the U.S. Capitol on January 6, 2021. The data could pinpoint smartphone locations within the U.S. Capitol, aiding investigators in arrests and charges in connection with the riot. After the Supreme Court’s decision earlier this year, many experts warn about the consequences of misused location data in states that criminalize abortions. Some argue the geofence data is pervasive and could be an overreach into innocent people’s privacy. For example, an avid biker who used a fitness app on his Android phone to record a workout was wrongly accused of robbing a home that he had passed along his route. Law enforcement seized geolocation data from Google, pinning him to the area of the crime.

The 2018 Supreme Court decision in Carpenter v. United States – which concluded the federal government’s warrantless acquisition of many cell-site location records violated the Fourth Amendment right against unreasonable search and seizure – gave individuals greater expectations of privacy over their location and movements. How this ruling applies to third-party location and GPS data is still up for debate. Civil liberties groups, including the ACLU, state, “blanket warrants circumvent constitutional checks on police surveillance, creating a virtual dragnet of our religious practices, political affiliations, sexual orientation, and more.” In a notable robbery case, a federal district court in Virginia ruled the use of a geofence warrant violated Fourth Amendment rights. The New York State Senate introduced the first measure in the country that would ban requests or court orders for geofence and keyword searches, limiting the collection of information from swaths of potentially innocent people. Despite increased questioning of these practices, requests for location history geofence warrants continue to rise: Google disclosed data from 2018 through 2020 showing trends in requests for users’ location history.

Source: Google

Earlier this year, Senators Elizabeth Warren (D-MA) introduced a bill, cosponsored by several Democratic and independent Senators, the Health and Location Data Protection Act, which seeks to “ban data brokers from selling or transferring location data and health data” and fund the FTC to enforce this law. While this bill has yet to be taken up for a vote, the FTC has already shown interest in taking up cases on data brokers’ sale of sensitive location and health data by filing a lawsuit against Idaho-based data broker Kochava Inc.

There is still an opportunity for bipartisanship to protect user privacy. Recent bipartisan efforts to pass a comprehensive privacy framework signify ongoing commitments to restoring digital privacy rights to consumers. Congress has also introduced multiple bills, the Kids Online Safety Act and Children and Teens’ Online Privacy Protection Act, aimed at protecting children and teens’ online privacy, an area with significant support from both sides of the aisle. Online privacy can take many different forms so, it is important Congress work together to find bipartisan compromise solutions to these issues.

Security and Privacy-Enhancing Technologies

How data is stored and collected has critical policy implications. Without federal privacy laws, consumers have few safeguards against how their data is collected, used, and shared. Data brokers may only share information with the government in limited ways; for instance, they cannot share raw data itself but rather insights based on that data. Much power currently falls into the hands of technology companies to determine when to comply with government-issued requests for information and what data they want to collect in the first place. Federal agencies also consider deploying spyware that bypasses data brokers or companies and collects data directly from a person’s phone without their knowledge. Internal documents reveal the FBI purchased Pegasus, a tool that can extract information from cellphones. This new revelation raises security and privacy concerns. Policymakers must continue to determine the proper balance between privacy rights and law enforcement/security needs.

Lawmakers have attempted to address these issues in the past. Republican Senate Judiciary leaders drafted legislation in 2020, the Lawful Access to Encrypted Data Act, to prevent practices restricting law enforcement’s access to vital information to assist their investigations. They reference multiple scenarios where the lack of information supplied by technology companies, or the use of encryption led to illegal activity risking people’s safety. Because this opposes other efforts to protect privacy, they also call for more research into encryption techniques that maximize privacy without removing security (see endnote). Meanwhile, House and Senate Democrats introduced the Invest in Child Safety Act in 2020, encouraging law enforcement to work with companies to combat offensive and illegal behavior online without weakening encryption safeguards.

Recent bipartisan agreement toward strengthening online data protections is promising. Last year, the Promoting Digital Privacy Technologies Act was introduced in the Senate and passed the House to promote research on improving privacy-enhancing technologies that safeguard consumers’ private information. Privacy-enhancing technologies, or PETs, include “software solution, technical processes, or other technological means of enhancing the privacy and confidentiality of an individual’s personal data.” There is much progress to be made in order to apply PETs at scale, so continued bipartisan support for accelerated research in this area is needed.

Transparency

In 2014, Senate Democrats first introduced the Data Broker Accountability and Transparency Act, which would require data brokers to ensure accuracy and transparency of their data collection and gives consumers the means to remove their information. Alongside these congressional efforts, the FTC was making its own recommendations for Congress to require transparency by data brokers, similar to how companies provide transparency reports today. The FTC revealed “collecting and storing large amounts of data not only increases the risk of a data breach or other unauthorized access but also increases the potential harm that could be caused.” It also recommended Congress allow consumers to access, opt out, or correct information collected about them. California adopted these recommendations by passing the California Consumer Privacy Act (CCPA), which forces companies to disclose information collected about individuals and allows consumers to prevent businesses or data brokers from selling their information. However, the requests must be made one broker at a time, an extensive effort for any individual.

Congress showed renewed interest in dealing with this issue in August 2022, when House Judiciary Committee Chair Jerrold Nadler (D-NY) and House Homeland Security Committee Chair Bennie G. Thompson (D-MS) wrote a letter to several agencies requesting information about purchases of Americans’ personal information from brokers. Republicans and Democrats have signaled their intent to require greater transparency from online platforms, but bipartisan progress has yet to take hold in the form of concrete legislation.

Fourth Amendment Rights

The public and policymakers should consider when law enforcement should wield this power to obligate the release or purchase of personal information, and when and how companies should comply. The Fourth Amendment, which protects individuals from unreasonable searches and seizures, does not always protect information shared with third parties. The “third-party doctrine” permits government access to information maintained by third parties and can include email interactions and online banking records. This doctrine from the 1970s may need review or revision due to significant social changes and technological developments over the last few decades.

For example, smart home devices present new challenges to this interpretation of Constitutional law. With smart home devices growing in popularity, our behaviors at home can also have an increasingly impactful role in court decisions and in individual protections. In a high-profile case from 2018, a judge ordered voice recordings from a smart speaker in a double murder case, as the device was activated during the attack in question. Other smart devices, like smart energy meters, have also come under scrutiny for poor handling of data captured by users and the behavioral patterns they reveal. Across the country, police forces have embraced and encouraged the installation of private security cameras. Washington DC, is even providing rebates for residents and businesses that install equipment to deter crime and assist in investigations. The NYPD recently partnered with Amazon’s home video surveillance app, Ring, to promote public safety. However, the company also received criticism for sharing videos with police without a warrant under emergency circumstances.

A bipartisan bill in Congress shows lawmakers’ commitment to closing loopholes used by law enforcement to obtain sensitive personal information. Senators Ron Wyden (D-OR), Rand Paul (R-KY), and 18 others introduced the Fourth Amendment is Not for Sale Act, intending to prevent law enforcement and government agencies from purchasing consumer information.

Conclusion

Data provides benefits to society, but it also introduces new harms, and policymakers must understand both sides of this coin as they look to regulate data sharing and purchasing. Questions remain unanswered, such as whether policymakers will clarify the amount and sensitivity of consumer information governments can purchase, and if court orders are present, can we trust businesses to have consumers’ privacy in mind? How data is used, who can access it, and what inferences can be made based on a person’s digital footprint can change if the right policies are put in place. Policymakers must carefully consider what it means to change the rules governing our data and how they can make the internet safer for everyone. Bipartisan progress in protecting people’s information must weigh public safety and privacy rights and requires a strong understanding of factors that play into these policy debates.

Acknowledging Andrew Fung for his contribution to this piece

End Note: End-to-end encryption techniques only go so far to keep information private. Electronic Frontier Foundation warns that metadata will reveal sensitive information about a user, even on end-to-end encrypted messaging platforms. ProPublica reported the messaging platform, Whatsapp, uses end-to-end encryption techniques, but their records can still reveal who a person messages and when, leading to people’s arrests.