Indiscriminate Data Surveillance

*Barry Friedman is the Jacob D. Fuchsberg Professor of Law at New York University School of Law and Director of the Policing Project at New York University School of Law. Danielle Keats Citron is the Jefferson Scholars Foundation Schenck Distinguished Professor in Law at the University of Virginia School of Law, the Vice President of the Cyber Civil Rights Initiative, and a 2019 MacArthur Fellow. The authors are grateful for the feedback and input of many colleagues, including Emily Berman, Noah Chauvin, Jim Dempsey, Kristen Eichensehr, Andrew Ferguson, Max Isaacs, Jeff Jonas, Samuel Levine, Maria Ponomarenko, Daniel Solove, Vincent Southerland, Kathy Strandburg, Peter Swire, Matt Tokson, and Andrew Weissmann. And they would like to thank the many research assistants whose hard work contributed to this piece: Jack Bolen, Leila Chang, Eleanor Citron, Samuel Ellis, Megan Flynn, Maya Konstantino, YJ Lee, Madison Lahey, Nicole Mo, Chris Moore, Jeff Stautberg, and Yidi Wu. This work was produced with generous support from the Filomen D’Agostino and Max E. Greenberg Research Fund at New York University School of Law.Show More

­­­­

Working hand-in-hand with the private sector, largely in a regulatory vacuum, policing agencies at the federal, state, and local levels are acquiring and using vast reservoirs of personal data. They are doing so indiscriminately, which is to say without any reason to suspect the individuals whose data they are collecting are acting unlawfully. And they are doing it in bulk. People are unlikely to want this personal information shared with anyone, let alone law enforcement. And yet today, private companies are helping law enforcement gather it by the terabyte. On all of us.

Our thesis is straightforward: the unregulated collection of this data must cease, at least until basic rule-of-law requisites are met. Any collection must be authorized by democratically accountable bodies. It must be transparent. It must be based on clear proof of efficacy (that a legitimate purpose actually is being served). There must be protections that minimize or avoid harms to individuals and society. And, of course, there must be judicial review of whether indiscriminate bulk data collection is constitutional, either at all or with regard to specific programs.

The basis for this thesis is a first-of-its-kind review of instances, from the dawn of the Information Age, in which Congress acted on these very issues. Much of that history involves indiscriminate collection of data on Americans for reasons of national and domestic security, because national security represents the outer bounds of what law enforcement and intelligence agencies are permitted to do, and much of what is done in the name of national security is inappropriate for domestic policing. Yet, in incident after incident, Congress made clear that indiscriminate bulk collection of Americans’ data is unacceptable, unlawful, and of dubious constitutionality. To the extent that such collection was permitted at all, Congress demanded the very requisites specified above. Today’s indiscriminate bulk surveillance by federal, state, and local policing agencies violates virtually all of these congressionally established norms. It should cease, at least until the rule-of-law requisites are met.

Introduction

The Supreme Court’s decision in Dobbs v. Jackson Women’s Health Organization, which allowed states to criminalize abortion and which generated huge controversy that ripples today, also directed attention to a seemingly incongruous matter: personal data.¹ 1.142 S. Ct. 2228, 2242–43 (2022); Philip Bump, The Patterns of Out-of-State Abortions, Wash. Post (Sept. 1, 2023, 4:48 PM), https://www.washingtonpost.com/politics/2023/09/01/‌patterns-out-of-state-abortions/ [https://perma.cc/F8ZP-36H2].Show More To be specific, apps used to track menstrual cycles and other details of individuals’ intimate lives.² 2.Rina Torchinsky, How Period Tracking Apps and Data Privacy Fit into a Post-Roe v. Wade Climate, NPR (June 24, 2022, 3:06 PM), https://www.npr.org/2022/05/10/1097482967/‌roe-v-wade-supreme-court-abortion-period-apps [https://perma.cc/4XCD-WTWQ]; Sara Morrison, Should I Delete My Period App? And Other Post-Roe Privacy Questions, Vox (July 6, 2022, 12:50 PM), https://www.vox.com/recode/2022/7/6/23196809/period-apps-roe-dobbs‌-data-privacy-abortion [https://perma.cc/3UCU-L2M8].Show More The fear motivating the attention was that prosecutors would obtain the data in an attempt to prove that women had indeed aborted a fetus.³ 3.Jay Edelson, Post-Dobbs, Your Private Data Will Be Used Against You, Bloomberg News (Sept. 22, 2022, 4:00 AM), https://news.bloomberglaw.com/us-law-week/post-dobbs-your-pr‌ivate-data-will-be-used-against-you [https://perma.cc/E23W-DNMK]; see also Leah R. Fowler & Michael R. Ulrich, Femtechnodystopia, 75 Stan. L. Rev. 1233, 1237–38 (2023) (discussing how prosecutors and government officials could leverage consumer data to enforce abortion prohibitions or criminally prosecute users).Show More

This alarm was entirely justifiable—prosecutors already have sought private data for abortion prosecutions.⁴ 4.Cat Zakrzewski, Pranshu Verma & Claire Parker, Texts, Web Searches About Abortion Have Been Used to Prosecute Women, Wash. Post (July 3, 2022, 9:20 AM), https://www.wash‌ingtonpost.com/technology/2022/07/03/abortion-data-privacy-prosecution/ [https://perma.cc/‌UUB7-H9NS].Show More Still, there was something deeply naive about the sudden attention to law enforcement’s collection of personal digital data.⁵ 5.Ryan Phillips, Infant Death Case Heading Back to Grand Jury, Starkville Daily News (May 9, 2019), https://www.starkvilledailynews.com/infant-death-case-heading-back-to-gran‌d-jury/article_cf99bcb0-71cc-11e9-963a-eb5dc5052c92.html [https://perma.cc/D3Z9-39‌NR]; Grace Oldham & Dhruv Mehrotra, Facebook and Anti-Abortion Clinics Are Collecting Highly Sensitive Info on Would-Be Patients, The Markup (June 15, 2022, 6:00 AM), https://th‌emarkup.org/pixel-hunt/2022/06/15/facebook-and-anti-abortion-clinics-are-collecting-highly‌-sensitive-info-on-would-be-patients [https://perma.cc/379S-92YA]. For Supreme Court cases expressing protection for intimate privacy, see Griswold v. Connecticut, 381 U.S. 479, 485–86 (1965) (identifying a right to privacy for couples seeking to procure contraception); Stanley v. Georgia, 394 U.S. 557, 568 (1969) (holding that the First and Fourth Amendments protect the possession of “obscene material”).Show More For some time now, law enforcement has been gaining access to the most minute details of our personal lives: where we go and stay; with whom we text and chat; what we read and search; what we say to digital assistants; what medical advice we seek; and which health providers we see.⁶ 6.Danielle Keats Citron, The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age 58–63 (2022); see infra Part I.Show More At volume, all data becomes intimate data, and today, law enforcement is gathering it up by the terabyte.⁷ 7.Gabby Miller, Transcript: Senate Hearing on Protecting Americans’ Privacy and the AI Accelerant, Tech Pol’y Press (July 12, 2024) (statement of Ryan Calo), https://www.techpol‌icy.press/transcript-senate-hearing-on-protecting-americans-privacy-and-the-ai-accelerant/ [https://perma.cc/Z87R-JXR5] (“AI is increasingly able to derive the intimate from the available.”); Alicia Solow-Niederman, Information Privacy and the Inference Economy, 117 Nw. U. L. Rev. 357, 361 (2022) (exploring the implications of machine learning tools’ ability to derive personal data from “aggregations of seemingly innocuous data”); see infra Part I.Show More On each and every one of us.

What the abortion decision did was bring the spotlight of public attention to what already is an extensive and deepening relationship between law enforcement and private actors, which has enabled indiscriminate data surveillance, in bulk. It’s no secret that private actors collect vast amounts of data on each of us.⁸ 8.See, e.g., Carly Page, Hotel Giant Marriott Confirms Yet Another Data Breach, TechCrunch (July 6, 2022, 7:21 AM), https://techcrunch.com/2022/07/06/marriott-breach-ag‌ain/ [https://perma.cc/Q2HF-8P5S]; Andrew Leahey, Equifax, Experian Must Pay More Than Pennies for Data Breaches, Bloomberg Tax (Feb. 21, 2023, 4:45 AM), https://news.bloomber‌gtax.com/tax-insights-and-commentary/equifax-experian-must-pay-more-than-pennies-for-data-breaches [https://perma.cc/Q2HZ-HG5B].Show More What is less widely known, but essential to understand, is the full extent to which that data can be, is, and will be shared with agents of the state. Some twenty years ago, Michael D. Birnhack and Niva Elkin-Koren called this “The Invisible Handshake.”⁹ 9.Michael D. Birnhack & Niva Elkin-Koren, The Invisible Handshake: The Reemergence of the State in the Digital Environment, Va. J.L. & Tech., Summer 2003, at 1.Show More Today, it is a full embrace.

This Article is about the acquisition by law enforcement of personal data indiscriminately and in bulk. “Indiscriminately” means it is acquired without the sort of lawful predicate—such as probable cause or reasonable suspicion—that typically limits when law enforcement may target individuals. “In bulk” captures how the technology and economics of the digital age enable policing agencies to gather this data on all of us, or any subset it chooses.¹⁰ 10.On the ability to collect data in bulk and the economics of storing it, see Viktor Mayer-Schönberger & Kenneth Cukier, Big Data: A Revolution That Will Transform How We Live, Work, and Think 6–12 (2013).Show More Today, policing agencies are acquiring access to the personal data of vast swaths of society, without regard to whether the targets of data acquisition are suspected of any unlawful conduct whatsoever. And they are using artificial-intelligence-driven tools to develop vivid pictures of who we are, what we do, where we go, what we spend, with whom we communicate, and much, much more.¹¹ 11.See infra Part I.Show More Make no mistake, the state has each of us under surveillance, and the extent and cohesiveness of that surveillance are growing by the day.

Although we know for certain this access to vast amounts of personal data is happening, far too few of the details are public because law enforcement and private parties are engaged in deliberate evasion to prevent our knowing. Through misleading procurement practices, memoranda of understanding (“MOU”) mutually pledging nondisclosure, parallel construction (the act of hiding from courts how law enforcement gets its leads), and more, public-private partners effectively manage to assemble vast pools of data outside the public eye, thereby avoiding any oversight.¹² 12.Id.Show More

What this Article demonstrates is that this sort of gathering of massive reservoirs of personal data about innocent people (to use a shorthand for those for whom there is no suspicion of wrongdoing) has been condemned by Congress and the broader society it represents time and again, and justifiably so. From the birth of the age of computerization, to the deeply problematic and nefarious conduct of government agents during COINTELPRO, to the secret collections of data by the National Security Agency as revealed by Edward Snowden, when Congress has been forced to act on this sort of indiscriminate data collection, it has ordered this practice to cease.¹³ 13.See infra Part II.Show More It is true, as we explain in Part III, that members of Congress, as well as state and local legislators, prefer to duck confrontations with law enforcement whenever they can—and they certainly do. But when compelled to act, Congress has made clear that the unregulated gathering of computerized dossiers endangers personal privacy and security, and risks unchecked government power. Such surveillance has chilled and destroyed constitutional rights exercised in the service of social change, has fallen particularly heavily on vulnerable and marginalized minorities, and has put way too much power in the hands of executive branch actors.¹⁴ 14.Citron, supra note 6, at xvi.Show More

Still, to be clear—and this is what makes the issue a difficult one—law enforcement access to digital reservoirs may serve important purposes. Ever since the advent of the internet, crime has moved online. From those who steal our identities and empty our bank accounts, to those who threaten and stalk us, to those who would terrorize us or foment insurrection, crime is online and is itself driven by access to personal data.¹⁵ 15.See, e.g., Luke Barr, Americans Lost $10.3 Billion to Internet Scams in 2022, FBI Says, ABC News (Mar. 13, 2023, 4:27 PM), https://abcnews.go.com/Business/americans-lost-103-billion-internet-scams-2022-fbi/story?id=97832789 [https://perma.cc/7DQP-U9ZP]; Joshua Barlow, Naval Officer Charged with Harassment, Cyberstalking, Identity Theft Against Ex-Wife, WTOP News (Oct. 24, 2022, 4:59 AM), https://wtop.com/montgomery-county/2022/10‌/naval-officer-charged-with-harassment-cyberstalking-identity-theft-against-ex-wife/ [https://perma.cc/6SP2-MBGR]; Farah Pandith & Jacob Ware, Teen Terrorism Inspired by Social Media Is on the Rise. Here’s What We Need to Do., NBC News (Mar. 22, 2021, 4:30 AM), https://www.nbcnews.com/think/opinion/teen-terrorism-inspired-social-media-ris‌e-here-s-what-we-ncna1261307 [https://perma.cc/V62E-GVYS]; Rebecca Heilweil & Shirin Ghaffary, How Trump’s Internet Built and Broadcast the Capitol Insurrection, Vox (Jan. 8, 2021, 5:00 PM), https://www.vox.com/recode/22221285/trump-online-capitol-riot-far-right-parler-twitter-facebook [https://perma.cc/52NQ-5YZX].Show More Law enforcement needs to use digital tools of some sort to keep us safe from wrongdoing, and those may well require access to personal data—though even yet it remains open to question whether that should include the data of individuals suspected of nothing.

Society’s goal should be a reasoned balance, but things now are seriously out of kilter. Working hand-in-hand with the private sector, policing agencies at the federal, state, and local levels are indiscriminately accessing vast reservoirs of personal data.¹⁶ 16.See infra Part I.Show More In the absence of regulation, this has made suspects of us all, and invited harms of the most grievous sort.¹⁷ 17.Id.Show More

Our thesis is straightforward: the current state of affairs must end. This is not necessarily to call for a ban on all indiscriminate bulk data-collection partnerships. As we’ve indicated, there are reasons some degree of collection might be advisable for safety’s sake. Rather, what we do here is derive from congressional debates and critical legislative actions taken since the dawn of the Information Age a set of very basic rule-of-law requisites that must be met before indiscriminate data surveillance can continue. Collection must be democratically authorized, not left to policing agencies alone to decide. The fact of collection must be transparent, even if some particulars are not, for security reasons. There must be a clear showing that collection protects public safety. And there must be safeguards in place—among them antidiscrimination, minimization, and retention limits—to mitigate or eliminate a number of obvious harms to privacy, personal security, equality, and overweening state power. And all of this must be open to constitutional scrutiny.¹⁸ 18.The recent guidance to federal agencies by the Office of Management and Budget (“OMB”) regarding the use of artificial intelligence is greatly consistent with much of what we argue for here. See Proposed Memorandum from Shalanda D. Young, Dir., Off. of Mgmt. & Budget, to the Heads of Exec. Dep’ts & Agencies, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence 10, 16, 18, 22 (2023) (requiring public input, transparency, a showing of efficacy, and detailed safeguards, with hopefully narrow exceptions for some law enforcement and national security activity); accord Joy Buolamwini & Barry Friedman, How the Federal Government Can Rein in A.I. in Law Enforcement, N.Y. Times (Jan. 2, 2024), https://www.nytimes.com/2024/01/02/opinion/‌ai-police-regulation.html [https://perma.cc/4U5V-UVSJ] (acknowledging OMB’s requirements and urging closing of loopholes).Show More We are skeptical that much of today’s indiscriminate bulk public-private surveillance will satisfy these tests. But our overarching point is that indiscriminate bulk collection of our data behind our backs must come to a halt, and if it occurs at all, it must proceed only by the terms set after open and transparent democratic debate. This is what congressional action, when it has occurred, teaches us.

As we write, it is an understatement to say these issues are at the forefront of national politics.¹⁹ 19.Thanks to Noah Chauvin for enhancing our list of examples.Show More Congress is embroiled in debates over the limits on policing agencies purchasing personal data from data brokers.²⁰ 20.In April of 2024, the House of Representatives passed the Fourth Amendment Is Not For Sale Act (“FAINFSA”) by a vote of 219-199. See H.R. 4639—Fourth Amendment Is Not For Sale Act, Congress.gov, https://www.congress.gov/bill/118th-congress/house-bill/4639/all-ac‌tions [https://perma.cc/Z8XL-6JC7] (last visited Sept. 7, 2024). This bill would flatly prohibit some of the practices we describe. Joseph Cox, Bill That Would Stop the Government Buying Data Without a Warrant Passes Key Hurdle, Vice (July 19, 2023, 11:19 AM), https://www.vic‌e.com/en/article/wxjgd4/fourth-amendment-is-not-for-sale-act-passes-committee [https://per‌ma.cc/GVB6-6KK7]. The Protect Liberty and End Warrantless Surveillance Act, which incorporates FAINSFA in full, passed through the House Judiciary Committee by a vote of 35-2. H.R. 6570, 118th Cong. (2023); see also H.R. 6570—Protect Liberty and End Warrantless Surveillance Act of 2023, Congress.gov, https://www.congress.gov/bill/118th-co‌ngress/house-bill/6570/all-actions-without-amendments [https://perma.cc/3XJS-Y9XC] (last visited May 15, 2024). The bipartisan, bicameral Government Surveillance Reform Act exceeds even FAINFSA in the information it would protect. H.R. 6262, 118th Cong. (2023); S. 3234, 118th Cong. (2023). The House of Representatives, by voice vote, adopted the Davidson-Jacobs Amendment to the National Defense Authorization Act, which would have prohibited the Department of Defense from purchasing U.S. persons’ protected information without a warrant. H.Amdt.256 to H.R. 2670, Congress.gov (July 14, 2023), https://www.cong‌ress.gov/amendment/118th-congress/house-amendment/256/text?s=3&r=5 [https://perma.cc/‌U8KM-X75W]. For an overview of the threat to privacy that data brokers present and an evaluation of certain legislative proposals, see Emile Ayoub & Elizabeth Goitein, Closing the Data Broker Loophole, Brennan Ctr. for Just. (Feb. 13, 2024), https://www.brennancenter.org/‌our-work/research-reports/closing-data-broker-loophole [https://perma.cc/S3H5-5T7U].Show More Section 702 of the Foreign Intelligence Surveillance Act recently was reauthorized, but only for two years rather than the typical five, and it encountered an especially rocky road in light of recent revelations of FBI overreach.²¹ 21.See Biden Signs Reauthorization of Surveillance Program into Law Despite Privacy Concerns, NPR (Apr. 20, 2024, 9:54 PM), https://www.npr.org/2024/‌04/20/1246‌076114/sen‌ate-passes-reauthorization-surveillance-program-fisa [https://perma.cc/M5XF-LV5R] (“The reauthorization faced a long and bumpy road to final passage Friday after months of clashes between privacy advocates and national security hawks pushed consideration of the legislation to the brink of expiration.”); see also Preston Marquis & Molly E. Reynolds, House Passes Section 702 Reauthorization, Lawfare (Apr. 16, 2024, 12:59 PM), https://www.lawfaremedia‌.org/article/house-passes-section-702-reauthorization [https://perma.cc/78RP-RGB8] (describing the two-year reauthorization as a “key concession” to ensure the bill’s passage).Show More In the course of reauthorization, Section 702 proponents adopted some reforms and promised to systematically consider more.²² 22.On the nature of the reforms, see infra notes 252–56. A commission was established to “consider ongoing reforms.” Reforming Intelligence and Securing America Act, Pub. L. No. 118-49, § 18(c), 138 Stat. 885 (2024) (codified as amended at 50 U.S.C. § 1881a); see also David Aaron, Unpacking the FISA Section 702 Reauthorization Bill, Just Sec. (Apr. 18, 2024), https://www.justsecurity.org/94771/unpacking-the-fisa-section-702-reauthorization-bill/ [https://perma.cc/XE4T-MVM3]. The Chair of the Senate Intelligence Committee, Senator Mark Warner, acknowledged drafting problems with the reauthorization bill and promised to work towards improvements this summer. Noah Chauvin, Too Much Power for Spy Agencies, Brennan Ctr. for Just. (Apr. 23, 2024), https://www.brennancenter.org/our-work/analysis-opi‌nion/too-much-power-spy-agencies [https://perma.cc/J438-M9P9]. One upshot of the fight was that the FISA reform bill will come to the House floor for passage by simple majority, rather than requiring a two-thirds vote as leadership originally had planned. See Marquis & Reynolds, supra note 21.Show More The Office of the Director of National Intelligence (“ODNI”) recently declassified a report on the Intelligence Community’s use of commercially available information, the most salient part of which is a recognition that indiscriminate bulk collection of information involves highly personal information and that claiming its collection avoids constitutional or other concerns simply because it is “publicly” or “commercially” available is unpersuasive. ODNI called for top-to-bottom reconsideration of the issue.²³ 23.Off. of the Dir. of Nat’l Intel., Senior Advisory Grp., Panel on Commercially Available Info., Report to the Director of National Intelligence 2 (Jan. 27, 2022) [hereinafter ODNI Report], https://www.dni.gov/files/ODNI/documents/assessments/ODNI-Declassified-Repor‌t-on-CAI-January2022.pdf [https://perma.cc/69EZ-2NK2].Show More The Federal Trade Commission brought an action in January of 2024 against data broker X-Mode Social for selling sensitive data obtained from phones without customer consent.²⁴ 24.Press Release, Fed. Trade Comm’n, FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data (Jan. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data [https://perma.cc/2RNF-JBTP]. On May 1, 2024, the FTC released its final order against InMarket in which it prohibited the data aggregator from sharing or selling sensitive location data for advertising and marketing purposes. Press Release, Fed. Trade Comm’n, FTC Finalizes Order with InMarket Prohibiting It from Selling or Sharing Precise Location Data (May 1, 2024), https://www.ftc.gov/news-events/news/pre‌ss-releases/2024/05/ftc-finalizes-order-inmarket-prohibiting-it-selling-or-sharing-precise-loc‌ation-data [https://perma.cc/B6XR-578H].Show More That same month, Senator Ron Wyden forced the Intelligence Community to reveal it was buying Americans’ location data by putting a hold on the nominee for Director of the National Security Agency until this information became public.²⁵ 25.See Letter from Ron Wyden, U.S. Sen., to Avril Haines, Dir. of Nat’l Intel. (Jan. 25, 2024), https://www.wyden.senate.gov/imo/media/doc/signed_wyden_letter_to_dni_re_nsa_p‌urchase_of_domestic_metadata_and_ftc_order_on_data_brokers_with_attachments.pdf [https://perma.cc/EHJ8-69ZH]; Charlie Savage, N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says, N.Y. Times (Jan. 25, 2024), https://www.nytimes.com/2024/‌01/25/us/politics/nsa-internet-privacy-warrant.html [https://perma.cc/5GVM-RXXR].Show More

Despite the apparent urgency of these issues, little (if any) progress is being made, in large part—we believe—because legislators are simply uncertain how to proceed. That is where we seek to intervene. Relying on past congressional actions, we provide a roadmap for Congress, as well as state and local legislative bodies, as to the minimum requirements that must be in place before indiscriminate bulk data collection can continue. (And even then, as we say, there must be judicial review.)

Although our aspiration here is to suggest a path toward sound regulation, we are quite certain that absent the very basic rule-of-law requisites identified repeatedly by Congress, courts should invalidate all such indiscriminate collection as unconstitutional. It is difficult to understand how a court could uphold such activity given that, for the most part, we don’t even know what actually is happening. That is no doubt why courts, confronted with these issues, have tended to dispose of them on justiciability or other grounds rather than reaching the merits.²⁶ 26.See, e.g., ACLU v. Clapper, 785 F.3d 787, 823–24 (2d Cir. 2015) (declining to address whether the NSA’s bulk data collection pursuant to Section 215 violated the Fourth Amendment); Clapper v. Amnesty Int’l USA, 568 U.S. 398, 402, 414, 418 (2013) (dismissing for want of Article III standing the claim that § 1881a of the Foreign Intelligence Surveillance Act of 1978 is unconstitutional); Schuchardt v. President of the United States, 802 F. App’x 69, 76–77 (3d Cir. 2020); Obama v. Klayman, 800 F.3d 559, 562 (D.C. Cir. 2015).Show More Still, it is unacceptable for courts simply to turn a blind eye to the degree of surveillance that is occurring. Our review of congressional debates, coupled with a constitutional argument one of us has advanced elsewhere, provides ample basis for striking down indiscriminate bulk data surveillance that is occurring in the absence of any regulation and without anything in the way of serious guardrails.²⁷ 27.See Barry Friedman, Lawless Surveillance, 97 N.Y.U. L. Rev. 1143, 1204–14 (2022) (providing a constitutional argument of precisely this nature).Show More

On the other hand, the appropriate time to address the constitutionality of indiscriminate bulk data collection in the context of a specific legislative program is when the contours of that legislative program are known, including factors such as any evidence of the utility of the data collected, and the safeguards in place to protect individual interests.²⁸ 28.In Carpenter v. United States, the Supreme Court barred warrantless collection of over six days of cell site location information, despite such collection ostensibly being permitted by the Stored Communications Act. 138 S. Ct. 2206, 2216–19 (2018). But the Court went no further. In that decision, the Chief Justice expressed the need to move cautiously, lest the Court “embarrass the future.” Id. at 2220 (quoting Nw. Airlines, Inc. v. Minnesota, 322 U.S. 292, 300 (1944)). Actual legislation will provide the Court with an opportunity to evaluate the specific protections it embodies, as well as government arguments about the utility of the data collected. See, e.g., Berger v. New York, 388 U.S. 41, 44 (1967) (evaluating constitutionality of wiretapping in context of New York’s law); see infra notes 332–40 and accompanying text (discussing how decisions like Berger have led to further legislation).Show More

Part I of this Article sets the stage by explaining that indiscriminate bulk data collection by domestic policing agencies is rampant and expanding at warp speed due to deepening public-private data partnerships. Section II.A details the profound data grab that is occurring and explains how, with the assistance of private helpers, law enforcement is accomplishing what it likely could not on its own. Section II.B makes the case that what is occurring may be but the tip of the iceberg. Law enforcement and their private partners are engaging in evasive (and dubiously constitutional) tactics to keep secret the fact that any of this is happening, making it impossible to know the true extent of the indiscriminate data surveillance.

Part II is the heart of our argument. It documents that when Congress has been forced to confront indiscriminate bulk data collection about innocent individuals by intelligence and policing agencies, it has registered sharp disapproval; Congress typically has shut down the collection. To the extent that the legislature allowed any mass access to data, the data was safeguarded with protections that often were understood to be foundational and perhaps required by the Constitution. To be clear, Congress has not always acted in the face of complaints about mass collection of private data. Public choice theory confirms what our own eyes see—caught between claims of national security and law enforcement imperatives (on the one hand), and popular unhappiness about private data collection (on the other), as well as its own keen awareness of the dangers, Congress often bends to pressure. But when Congress has been forced to act, indiscriminate bulk data collection about Americans suspected of nothing consistently has been deemed unlawful, of dubious constitutionality, and has been rejected. Congress has insisted instead on a set of quite obvious basic prerequisites, grounded in the rule of law. Part II traces this history up to the present day. Much of what we discuss in Part II concerns national security, which serves as a notable benchmark, because all concerned agreed that while certain surveillance activities may be permissible to protect national security, they are simply impermissible for domestic purposes.

Part III, relying on congressional insights of the past, turns to prescription for the present. Section III.A summarizes the rule-of-law requisites that surfaced repeatedly in congressional debates and actions, making abundantly clear that the ongoing domestic law enforcement data grab detailed in Part I violates these requisites. Indiscriminate data collection should not occur at all unless it is democratically authorized, transparent, based upon demonstrated efficacy, and bounded by essential safeguards to prevent things like discrimination, risks to personal security, and the accumulation of overweening governmental power. This goes for data collection conducted for the use of policing agencies at every level of government, federal, state, tribal, and local. Section III.B then tackles the hard question—which is how to make this happen in light of the game of hot potato that keeps both the judiciary and legislative bodies from doing their regulatory and adjudicative jobs. That Section identifies a set of mechanisms to address the problem. One is what historically has been a game of judicial / legislative give-and-take that allows each branch to push the other toward sensible resolutions. Another is a set of sunsets—coupled with disclosure requirements—to ensure periodic democratic review and reevaluation of data collection efforts to, among other things, weigh the efficacy and value of such collections against the intrusions they involve. The third is an intriguing, ongoing intercontinental game of chicken between the European Union and the United States that might accomplish the same, at least at the federal level.

Data, in our world, is a benefit and a curse. If we are not careful, the curse will trump the benefits in too many of our lives. Even if the threat is not immediately obvious, allowing government access to this much information about all of us is a prescription for tyranny. Eyes were opened by the idea that government could not only criminalize our reproductive lives but pry into our virtual and physical bedrooms and bathrooms to discover any criminality. That particular fear is justified, but the threats extend far beyond it. It is essential that we do something, now, about policing and intelligence agency’s massive indiscriminate collection of our personal data.

1.  142 S. Ct. 2228, 2242–43 (2022); Philip Bump, The Patterns of Out-of-State Abortions, Wash. Post (Sept. 1, 2023, 4:48 PM), https://www.washingtonpost.com/politics/2023/09/01/‌patterns-out-of-state-abortions/ [https://perma.cc/F8ZP-36H2]. ↑
2.  Rina Torchinsky, How Period Tracking Apps and Data Privacy Fit into a Post-Roe v. Wade Climate, NPR (June 24, 2022, 3:06 PM), https://www.npr.org/2022/05/10/1097482967/‌roe-v-wade-supreme-court-abortion-period-apps [https://perma.cc/4XCD-WTWQ]; Sara Morrison, Should I Delete My Period App? And Other Post-Roe Privacy Questions, Vox (July 6, 2022, 12:50 PM), https://www.vox.com/recode/2022/7/6/23196809/period-apps-roe-dobbs‌-data-privacy-abortion [https://perma.cc/3UCU-L2M8]. ↑
3.  Jay Edelson, Post-Dobbs, Your Private Data Will Be Used Against You, Bloomberg News (Sept. 22, 2022, 4:00 AM), https://news.bloomberglaw.com/us-law-week/post-dobbs-your-pr‌ivate-data-will-be-used-against-you [https://perma.cc/E23W-DNMK]; see also Leah R. Fowler & Michael R. Ulrich, Femtechnodystopia, 75 Stan. L. Rev. 1233, 1237–38 (2023) (discussing how prosecutors and government officials could leverage consumer data to enforce abortion prohibitions or criminally prosecute users). ↑
4.  Cat Zakrzewski, Pranshu Verma & Claire Parker, Texts, Web Searches About Abortion Have Been Used to Prosecute Women, Wash. Post (July 3, 2022, 9:20 AM), https://www.wash‌ingtonpost.com/technology/2022/07/03/abortion-data-privacy-prosecution/ [https://perma.cc/‌UUB7-H9NS]. ↑
5.  Ryan Phillips, Infant Death Case Heading Back to Grand Jury, Starkville Daily News (May 9, 2019), https://www.starkvilledailynews.com/infant-death-case-heading-back-to-gran‌d-jury/article_cf99bcb0-71cc-11e9-963a-eb5dc5052c92.html [https://perma.cc/D3Z9-39‌NR]; Grace Oldham & Dhruv Mehrotra, Facebook and Anti-Abortion Clinics Are Collecting Highly Sensitive Info on Would-Be Patients, The Markup (June 15, 2022, 6:00 AM), https://th‌emarkup.org/pixel-hunt/2022/06/15/facebook-and-anti-abortion-clinics-are-collecting-highly‌-sensitive-info-on-would-be-patients [https://perma.cc/379S-92YA]. For Supreme Court cases expressing protection for intimate privacy, see Griswold v. Connecticut, 381 U.S. 479, 485–86 (1965) (identifying a right to privacy for couples seeking to procure contraception); Stanley v. Georgia, 394 U.S. 557, 568 (1969) (holding that the First and Fourth Amendments protect the possession of “obscene material”). ↑
6.  Danielle Keats Citron, The Fight for Privacy: Protecting Dignity, Identity, and Love in the Digital Age 58–63 (2022); see infra Part I. ↑
7.  Gabby Miller, Transcript: Senate Hearing on Protecting Americans’ Privacy and the AI Accelerant, Tech Pol’y Press (July 12, 2024) (statement of Ryan Calo), https://www.techpol‌icy.press/transcript-senate-hearing-on-protecting-americans-privacy-and-the-ai-accelerant/ [https://perma.cc/Z87R-JXR5] (“AI is increasingly able to derive the intimate from the available.”); Alicia Solow-Niederman, Information Privacy and the Inference Economy, 117 Nw. U. L. Rev. 357, 361 (2022) (exploring the implications of machine learning tools’ ability to derive personal data from “aggregations of seemingly innocuous data”); see infra Part I. ↑
8.  See, e.g., Carly Page, Hotel Giant Marriott Confirms Yet Another Data Breach, TechCrunch (July 6, 2022, 7:21 AM), https://techcrunch.com/2022/07/06/marriott-breach-ag‌ain/ [https://perma.cc/Q2HF-8P5S]; Andrew Leahey, Equifax, Experian Must Pay More Than Pennies for Data Breaches, Bloomberg Tax (Feb. 21, 2023, 4:45 AM), https://news.bloomber‌gtax.com/tax-insights-and-commentary/equifax-experian-must-pay-more-than-pennies-for-data-breaches [https://perma.cc/Q2HZ-HG5B]. ↑
9.  Michael D. Birnhack & Niva Elkin-Koren, The Invisible Handshake: The Reemergence of the State in the Digital Environment, Va. J.L. & Tech., Summer 2003, at 1. ↑
10.  On the ability to collect data in bulk and the economics of storing it, see Viktor Mayer-Schönberger & Kenneth Cukier, Big Data: A Revolution That Will Transform How We Live, Work, and Think 6–12 (2013). ↑
11.  See infra Part I. ↑
12.  Id. ↑
13.  See infra Part II. ↑
14.  Citron, supra note 6, at xvi. ↑
15.  See, e.g., Luke Barr, Americans Lost $10.3 Billion to Internet Scams in 2022, FBI Says, ABC News (Mar. 13, 2023, 4:27 PM), https://abcnews.go.com/Business/americans-lost-103-billion-internet-scams-2022-fbi/story?id=97832789 [https://perma.cc/7DQP-U9ZP]; Joshua Barlow, Naval Officer Charged with Harassment, Cyberstalking, Identity Theft Against Ex-Wife, WTOP News (Oct. 24, 2022, 4:59 AM), https://wtop.com/montgomery-county/2022/10‌/naval-officer-charged-with-harassment-cyberstalking-identity-theft-against-ex-wife/ [https://perma.cc/6SP2-MBGR]; Farah Pandith & Jacob Ware, Teen Terrorism Inspired by Social Media Is on the Rise. Here’s What We Need to Do., NBC News (Mar. 22, 2021, 4:30 AM), https://www.nbcnews.com/think/opinion/teen-terrorism-inspired-social-media-ris‌e-here-s-what-we-ncna1261307 [https://perma.cc/V62E-GVYS]; Rebecca Heilweil & Shirin Ghaffary, How Trump’s Internet Built and Broadcast the Capitol Insurrection, Vox (Jan. 8, 2021, 5:00 PM), https://www.vox.com/recode/22221285/trump-online-capitol-riot-far-right-parler-twitter-facebook [https://perma.cc/52NQ-5YZX]. ↑
16.  See infra Part I. ↑
17.  Id. ↑
18.  The recent guidance to federal agencies by the Office of Management and Budget (“OMB”) regarding the use of artificial intelligence is greatly consistent with much of what we argue for here. See Proposed Memorandum from Shalanda D. Young, Dir., Off. of Mgmt. & Budget, to the Heads of Exec. Dep’ts & Agencies, Advancing Governance, Innovation, and Risk Management for Agency Use of Artificial Intelligence 10, 16, 18, 22 (2023) (requiring public input, transparency, a showing of efficacy, and detailed safeguards, with hopefully narrow exceptions for some law enforcement and national security activity); accord Joy Buolamwini & Barry Friedman, How the Federal Government Can Rein in A.I. in Law Enforcement, N.Y. Times (Jan. 2, 2024), https://www.nytimes.com/2024/01/02/opinion/‌ai-police-regulation.html [https://perma.cc/4U5V-UVSJ] (acknowledging OMB’s requirements and urging closing of loopholes). ↑
19.  Thanks to Noah Chauvin for enhancing our list of examples. ↑
20.  In April of 2024, the House of Representatives passed the Fourth Amendment Is Not For Sale Act (“FAINFSA”) by a vote of 219-199. See H.R. 4639—Fourth Amendment Is Not For Sale Act, Congress.gov, https://www.congress.gov/bill/118th-congress/house-bill/4639/all-ac‌tions [https://perma.cc/Z8XL-6JC7] (last visited Sept. 7, 2024). This bill would flatly prohibit some of the practices we describe. Joseph Cox, Bill That Would Stop the Government Buying Data Without a Warrant Passes Key Hurdle, Vice (July 19, 2023, 11:19 AM), https://www.vic‌e.com/en/article/wxjgd4/fourth-amendment-is-not-for-sale-act-passes-committee [https://per‌ma.cc/GVB6-6KK7]. The Protect Liberty and End Warrantless Surveillance Act, which incorporates FAINSFA in full, passed through the House Judiciary Committee by a vote of 35-2. H.R. 6570, 118th Cong. (2023); see also H.R. 6570—Protect Liberty and End Warrantless Surveillance Act of 2023, Congress.gov, https://www.congress.gov/bill/118th-co‌ngress/house-bill/6570/all-actions-without-amendments [https://perma.cc/3XJS-Y9XC] (last visited May 15, 2024). The bipartisan, bicameral Government Surveillance Reform Act exceeds even FAINFSA in the information it would protect. H.R. 6262, 118th Cong. (2023); S. 3234, 118th Cong. (2023). The House of Representatives, by voice vote, adopted the Davidson-Jacobs Amendment to the National Defense Authorization Act, which would have prohibited the Department of Defense from purchasing U.S. persons’ protected information without a warrant. H.Amdt.256 to H.R. 2670, Congress.gov (July 14, 2023), https://www.cong‌ress.gov/amendment/118th-congress/house-amendment/256/text?s=3&r=5 [https://perma.cc/‌U8KM-X75W]. For an overview of the threat to privacy that data brokers present and an evaluation of certain legislative proposals, see Emile Ayoub & Elizabeth Goitein, Closing the Data Broker Loophole, Brennan Ctr. for Just. (Feb. 13, 2024), https://www.brennancenter.org/‌our-work/research-reports/closing-data-broker-loophole [https://perma.cc/S3H5-5T7U]. ↑
21.  See Biden Signs Reauthorization of Surveillance Program into Law Despite Privacy Concerns, NPR (Apr. 20, 2024, 9:54 PM), https://www.npr.org/2024/‌04/20/1246‌076114/sen‌ate-passes-reauthorization-surveillance-program-fisa [https://perma.cc/M5XF-LV5R] (“The reauthorization faced a long and bumpy road to final passage Friday after months of clashes between privacy advocates and national security hawks pushed consideration of the legislation to the brink of expiration.”); see also Preston Marquis & Molly E. Reynolds, House Passes Section 702 Reauthorization, Lawfare (Apr. 16, 2024, 12:59 PM), https://www.lawfaremedia‌.org/article/house-passes-section-702-reauthorization [https://perma.cc/78RP-RGB8] (describing the two-year reauthorization as a “key concession” to ensure the bill’s passage). ↑
22.  On the nature of the reforms, see infra notes 252–56. A commission was established to “consider ongoing reforms.” Reforming Intelligence and Securing America Act, Pub. L. No. 118-49, § 18(c), 138 Stat. 885 (2024) (codified as amended at 50 U.S.C. § 1881a); see also David Aaron, Unpacking the FISA Section 702 Reauthorization Bill, Just Sec. (Apr. 18, 2024), https://www.justsecurity.org/94771/unpacking-the-fisa-section-702-reauthorization-bill/ [https://perma.cc/XE4T-MVM3]. The Chair of the Senate Intelligence Committee, Senator Mark Warner, acknowledged drafting problems with the reauthorization bill and promised to work towards improvements this summer. Noah Chauvin, Too Much Power for Spy Agencies, Brennan Ctr. for Just. (Apr. 23, 2024), https://www.brennancenter.org/our-work/analysis-opi‌nion/too-much-power-spy-agencies [https://perma.cc/J438-M9P9]. One upshot of the fight was that the FISA reform bill will come to the House floor for passage by simple majority, rather than requiring a two-thirds vote as leadership originally had planned. See Marquis & Reynolds, supra note 21. ↑
23.  Off. of the Dir. of Nat’l Intel., Senior Advisory Grp., Panel on Commercially Available Info., Report to the Director of National Intelligence 2 (Jan. 27, 2022) [hereinafter ODNI Report], https://www.dni.gov/files/ODNI/documents/assessments/ODNI-Declassified-Repor‌t-on-CAI-January2022.pdf [https://perma.cc/69EZ-2NK2]. ↑
24.  Press Release, Fed. Trade Comm’n, FTC Order Prohibits Data Broker X-Mode Social and Outlogic from Selling Sensitive Location Data (Jan. 9, 2024), https://www.ftc.gov/news-events/news/press-releases/2024/01/ftc-order-prohibits-data-broker-x-mode-social-outlogic-selling-sensitive-location-data [https://perma.cc/2RNF-JBTP]. On May 1, 2024, the FTC released its final order against InMarket in which it prohibited the data aggregator from sharing or selling sensitive location data for advertising and marketing purposes. Press Release, Fed. Trade Comm’n, FTC Finalizes Order with InMarket Prohibiting It from Selling or Sharing Precise Location Data (May 1, 2024), https://www.ftc.gov/news-events/news/pre‌ss-releases/2024/05/ftc-finalizes-order-inmarket-prohibiting-it-selling-or-sharing-precise-loc‌ation-data [https://perma.cc/B6XR-578H]. ↑
25.  See Letter from Ron Wyden, U.S. Sen., to Avril Haines, Dir. of Nat’l Intel. (Jan. 25, 2024), https://www.wyden.senate.gov/imo/media/doc/signed_wyden_letter_to_dni_re_nsa_p‌urchase_of_domestic_metadata_and_ftc_order_on_data_brokers_with_attachments.pdf [https://perma.cc/EHJ8-69ZH]; Charlie Savage, N.S.A. Buys Americans’ Internet Data Without Warrants, Letter Says, N.Y. Times (Jan. 25, 2024), https://www.nytimes.com/2024/‌01/25/us/politics/nsa-internet-privacy-warrant.html [https://perma.cc/5GVM-RXXR]. ↑
26.  See, e.g., ACLU v. Clapper, 785 F.3d 787, 823–24 (2d Cir. 2015) (declining to address whether the NSA’s bulk data collection pursuant to Section 215 violated the Fourth Amendment); Clapper v. Amnesty Int’l USA, 568 U.S. 398, 402, 414, 418 (2013) (dismissing for want of Article III standing the claim that § 1881a of the Foreign Intelligence Surveillance Act of 1978 is unconstitutional); Schuchardt v. President of the United States, 802 F. App’x 69, 76–77 (3d Cir. 2020); Obama v. Klayman, 800 F.3d 559, 562 (D.C. Cir. 2015). ↑
27.  See Barry Friedman, Lawless Surveillance, 97 N.Y.U. L. Rev. 1143, 1204–14 (2022) (providing a constitutional argument of precisely this nature). ↑

28.  In Carpenter v. United States, the Supreme Court barred warrantless collection of over six days of cell site location information, despite such collection ostensibly being permitted by the Stored Communications Act. 138 S. Ct. 2206, 2216–19 (2018). But the Court went no further. In that decision, the Chief Justice expressed the need to move cautiously, lest the Court “embarrass the future.” Id. at 2220 (quoting Nw. Airlines, Inc. v. Minnesota, 322 U.S. 292, 300 (1944)). Actual legislation will provide the Court with an opportunity to evaluate the specific protections it embodies, as well as government arguments about the utility of the data collected. See, e.g., Berger v. New York, 388 U.S. 41, 44 (1967) (evaluating constitutionality of wiretapping in context of New York’s law); see infra notes 332–40 and accompanying text (discussing how decisions like Berger have led to further legislation). ↑