What if the attacks of September 11, 2001 or Oklahoma City could have been prevented? How about school shootings, the mosque shooting in New Zealand or the terrorist attack in Tehran? Should governments be allowed to use third-party data and AI in the interest of national security, or to prevent, detect and prosecute crime? Can AI be an ethical and legal solution to address privacy concerns and eliminate the need for a search warrant?
Governments claim that when they have access to user data, they can prevent or detect crime. Balancing the needs of public safety against individual privacy rights has become increasingly complex, especially with the ubiquity of smartphones, authorized data collection, and the amount of information people freely share on social media. The irony and bitter truth is that individual private data has been voluntarily given away by them in exchange for access to free applications, such as Google Search, Gmail, Facebook, Instagram, YouTube, and TikTok. It is widely known that technology and marketing companies trade this data so why should a higher standard be placed on governments? Governments are able to purchase data from third-party data providers, such as Fog Data Science, LLC.[1] This article explores the ability of governments to purchase third-party data from brokers without a search warrant, provided that users have voluntarily consented to sharing the data. Artificial Intelligence (AI) can be implemented to address legal and ethical privacy concerns. AI can be a non-biased and anonymous methodology to process, sort, search, and analyze vast amounts of third-party data, solely for the purposes of identifying (“flagging”) data signals that indicate higher probabilities of criminal activity and threats to public safety.
The Role of Artificial Intelligence and Government Use of Third-Party Data
In addition to the traditional and newer approaches to data usage by the government discussed in this paper, recent developments in AI should be considered. The government is exploring AI as a tool for law enforcement,[2] which will affect the access, analysis, and utilization of third-party data to fight computer crimes. Compared to other human-centric methods, AI is uniquely poised to detect and prevent computer crimes in a rapid and fair manner. It is also possible for AI to normalize data searches and reassure privacy advocates because it is not a person and would presumably not have bias (unless it was trained in that manner).
For example, what if AI was trained to search various available databases through third-party data providers and had a threshold number of “signals” the AI was trained to look for? AI can search, classify, and track signals using third-party data-matching criteria for specific computer crime activities. Under these scenarios, the government could use AI to enhance its ability to effectively prevent or detect crime while simultaneously being less intrusive in the potential invasion of privacy guaranteed under the Constitution. AI could be valuable for searching third-party data and providing valuable insights from public information such as social media, surveillance footage, and financial transactions. AI output can be used to identify patterns and anomalies that indicate potential criminal activities or threats to public safety. AI-powered algorithms can process this information in a manner far more efficient and accurate than humans, enabling law enforcement agencies to proactively identify and prevent crimes while simultaneously complying with constitutional and other legal requirements surrounding an individual’s right to any reasonable expectation of privacy. Although this may harken back to the “Precogs” (precognitives) in the movie Minority Report,[3] an experiment that went wrong, AI can be a solution that solves the challenge of balancing individual privacy rights with public safety.
Can Governments Bypass Search Warrants by Buying Your Data?
The ability of governments in different countries to access data under third-party data doctrines varies significantly. Third-party doctrines can allow the government to obtain information that individuals voluntarily disclose to a third-party without needing a warrant. The rationale is that when users voluntarily share information with a business or the public, they have a reduced expectation of privacy. Under this premise, government agencies can request data from third-parties, such as banks, phone companies, Google and social media platforms.
In the United States, courts apply the Fourth Amendment to the government’s usage of third-party data without a warrant. Some courts allow the government to access third-party data without a warrant because the user has consented to data sharing with a company. Companies have “common authority” over their business records,[4] allowing the third-party company to consent to a government search of its data - even if the user opposes it. Furthermore, third-party companies may enter into voluntary sales (“manifested consent”) of user records that would otherwise be protected by the decision in Carpenter v. United States.[5]
The United Kingdom (“UK”) has similarities to the U.S. with some differences. For example, The Human Rights Act of 1998 incorporates the right to privacy from the European Convention on Human Rights and provides some protection against government access to personal data. The Investigatory Powers Act 2016 (IPA) sets established a legal framework for government access to communications data and bulk personal datasets. Generally, when a user voluntarily discloses information to a third party (i.e., bank records, phone records and social media posts), they have a reduced expectation of privacy, and the government might access data without a warrant in specific circumstances. With respect to third-party data, generally the IPA requires that the government have prior judicial authorization (akin to a warrant) to access data, phone records and emails that are held by communication service providers. There are special exceptions, such as national security emergencies, where the government may access the data without judicial authorization. The IPA also regulates government access to bulk personal datasets held by private companies or public bodies and often requires judicial oversight. Beyond the IPA, other legal powers grant the government access to specific types of data under defined circumstances, sometimes without a warrant (i.e., tax investigations, immigration control, and counter-terrorism).
In Singapore, the ability of the government to access third-party data without a warrant is more permissive than many other countries. Singapore’s Personal Data Protection Act (PDPA) grants the government broader discretion compared to countries with stronger data protection laws. The Criminal Procedure Code (CPC) allows agencies to request data from third parties during investigations, and may require judicial approval for sensitive data. The Computer Misuse and Cybersecurity Act (CMCA) empowers their government to compel organizations to disclose data for cybersecurity purposes, potentially without a warrant in specific situations. Agencies are largely exempt from the PDPA if a national security exception exists, allowing them to access data without individual consent or notification.
The ability of the Chinese government to access third-party data without a warrant is significantly broader than in many other countries, and differs greatly from both the UK and Singaporean laws. While legal frameworks exist in China for data privacy, they tend to grant significant leeway to the government and offer limited privacy protections to individuals. China lacks a comprehensive data protection law and individual privacy rights regarding data held by third parties are not firmly established. China’s Cybersecurity Law and Personal Information Protection Law mention protection of personal data, yet grant broad exceptions for government access. The Chinese government maintains significant control over information and communication technologies, allowing it to directly access data from various sources without a warrant. Technology companies, telecommunication providers and social media platforms in China are often required to cooperate with government requests for data, without a warrant.
In most countries, recent legal trends tend to favor the government’s ability to access third-party data under laws that mirror the United States and the “Third-Party Doctrine,” which was established in Smith[6] and Miller.[7] In both matters, the U.S. Supreme Court held that business records may not be subject to protection under the Fourth Amendment warrant requirement if they were voluntarily shared with a third-party.[8] In these cases, the third-party doctrine has been applied, holding that individuals have no reasonable or legitimate expectation of privacy for information they voluntarily share with third parties.[9] This holds true, even if the individual assumes the third-party would use the data for a limited scope or purpose.
Selling You Out: Are Data Brokers Helping Governments Ignore Your Privacy?
A recent example of data purchases by government agencies is the arrangement between Fog Data, LLC, and the U.S. Government. There has been much controversy surrounding the government’s use of this data, and some believe the government is using this information to conduct illegal surveillance. In contrast, the government argues it is necessary to use this third-party data for national security. At the heart of this controversy is Fog Data, LLC purchasing and aggregating vast amounts of user data from tech companies, then selling it to government agencies. Critics believe governments should not have access to this information, arguing it undermines civil rights and sets a dangerous precedent.
There are concerns about the need for more transparency surrounding how the government uses data from brokers and many feel there needs to be more oversight and accountability. Additionally, there are concerns about Fog Data, LLC’s security, as hackers have allegedly been able to breach the system and steal sensitive data.
In other recent developments, bipartisan efforts resulted in legislation being drafted that would prohibit the government from purchasing this party data (such as Fog Data, LLC). Twenty prominent U.S. Senators,[10] including Ron Wyden (Democrat) and Rand Paul (Republican), introduced a legislative bill in 2021 that would “put a stop to shady data brokers buying and selling Americans’ constitutional rights.”[11] In their introduction of the “Fourth Amendment is not for Sale Act,” U.S. Senator Mike Lee stated, “The federal government should not be allowed to skirt the Fourth Amendment’s existing warrant requirements and surveillance laws by purchasing Americans’ data from third-party brokers. This legislation will protect the civil liberties of Americans by closing loopholes in existing law.”[12] Over a year later, despite the impressive sponsors of the Bill, it has not progressed. This is likely because most lawmakers agree with this paper’s thesis - we do not need new or expanded laws for data privacy as it relates to the government’s use of third-party data that users have voluntarily given up. For a more detailed analysis of the Fourth Amendment, individual user data privacy rights, and why the government should be able to purchase data from third-party companies, please refer to the next section and the analysis of the Fourth Amendment as it pertains to data privacy laws.
The Legal Tightrope: Balancing User Consent and Government Access to Data
How can an individual who uses free apps, wears a Fitbit, or regularly posts on social media about their personal life, assert they have an expectation of privacy concerning that data? They voluntarily give up their data to the public and to companies. Governments across the globe should be able to access third-party user data without a warrant, provided that data has been previously been consented to sharing by the user. However, The concept of “consent” in data sharing is complex and often misleading. Many platforms present long and convoluted terms of service that people might not fully understand, and consent obtained under such circumstances is questionable.
The global challenges of balancing individual privacy needs against government missions to protect society will be forever ongoing. Continued increases in cyber crime, terrorist attacks and global uncertainty create justification for governments needing more access to user data. Properly implementing AI as an unbiased and error-free solution for processing and analyzing user data can create a balance that protects national security and user privacy.
[1] Fog Data Science, LLC was founded in 2016 by two former U.S. Department Homeland Security employees. Bennet Cyphers, Inside Fog Data Science, the Secretive Company Selling Mass Surveillance to Local Police, Electronic Frontier Foundation (August 31, 2022), https://www.eff.org/deeplinks/2022/08/inside-fog-data-science-secretive-company-selling-mass-surveillance-local-police.
[2] Christopher Rigano, Using Artificial Intelligence to Address Criminal Justice Needs, National Institute of Justice Journal, Issue No. 280 (January 2019), https://www.ojp.gov/pdffiles1/nij/252038.pdf.
[3] David Sims, Minority Report Tried to Warn Us About Technology, The Atlantic (June 14, 2022), https://www.theatlantic.com/culture/archive/2022/06/minority-report-spielberg-movie-tom-cruise/661274/.
[4] Orin Kerr, Buying Data and the Fourth Amendment, Law Fare (November 17, 2021), https://www.lawfaremedia.org/article/buying-data-and-fourth-amendment.
[5] Carpenter v. United States, 138 S.Ct. 2206 (2018).
[6] Smith v. Maryland, 442 U.S. 735 (1979).
[7] United States v. Miller, 425 U.S. 435 (1976).
[8] Orin S. Kerr, The Case for the Third-Party Doctrine, 107 Mich. L. Rev. 561 (2009), https://repository.law.umich.edu/mlr/vol107/iss4/1.
[9] Richard M. Thompson II, The Fourth Amendment Third-Party Doctrine, Congressional Research Service Report (June 5, 2014), https://sgp.fas.org/crs/misc/R43586.pdf.
[10] U.S. Congress Senate Bill 1265 Cosponsors (2021).
[11] Ron Wyden, Wyden, Paul and Bipartisan Members of Congress Introduce The Fourth Amendment Is Not For Sale Act, Press Release (April 21, 2021), https://www.wyden.senate.gov/news/press-releases/wyden-paul-and-bipartisan-members-of-congress-introduce-the-fourth-amendment-is-not-for-sale-act-.
[12] Id.
Kenneth W. Sterling, Big Brother Bargain: Can Governments Bypass Your Rights by Paying Up?, Digital Law Asia (Feb. 27, 2024), https://digital.law.nycu.edu.tw/blog-post/sahfkp/.
No. 1001, Daxue Rd., East Dist., Hsinchu City 300093, Taiwan