During the Senate Intelligence Committee’s annual Worldwide Threats hearing on Wednesday, FBI Director Kash Patel told lawmakers that the bureau purchases commercially available information that can track the movement and location history of individuals in the United States.
“We do purchase commercially available information that’s consistent with the Constitution and the laws under the Electronic Communications Privacy Act, and it has led to some valuable intelligence for us,” Patel told senators.
The statement confirmed that the FBI is actively buying people’s data again. In 2023, former FBI Director Christopher Wray told lawmakers that the bureau had bought location data in the past but was not doing so at that time. Patel’s response during the hearing provided the first confirmation that the practice has resumed.
The disclosure came after questioning from Sen. Ron Wyden, a Democrat from Oregon who has long opposed warrantless surveillance of Americans. Wyden reminded Patel that Wray had previously testified that the FBI was not purchasing location data derived from internet advertising in 2023.
Wyden asked whether that was still the case and whether Patel would commit to not buying Americans’ location data. Patel responded by explaining that the FBI purchases commercially available information consistent with the Constitution and the Electronic Communications Privacy Act.
Wyden responded directly during the hearing. “Doing that without a warrant is an outrageous end run around the Fourth Amendment, it’s particularly dangerous given the use of artificial intelligence to comb through massive amounts of private information,” he said.
Federal law enforcement agencies generally must obtain a warrant before collecting cellphone location data. A warrant requires probable cause and approval from a judge. In 2018, the U.S. Supreme Court ruled in Carpenter v. United States that the Fourth Amendment prohibits the warrantless collection of individuals’ cellphone location history from mobile carriers.
The ruling focused on requests made to telecommunications providers. Data brokers create another path. Instead of requesting records directly from cellphone companies, government agencies can buy similar data from private companies that collect and sell consumer information.
Wyden is pushing legislation to address this situation. On March 13, he and Republican Sen. Mike Lee of Utah introduced the Government Surveillance Reform Act. The proposal would require federal law enforcement and intelligence agencies to obtain a warrant before purchasing Americans’ personal information. A House version of the bill was introduced by Rep. Zoe Lofgren, a Democrat from California, and Rep. Warren Davidson, a Republican from Ohio.
Committee Chair Tom Cotton, a Republican from Arkansas, defended the practice during the hearing and said the key issue is that the information is commercially available.
Defense Intelligence Agency Director James Adams also told senators during the hearing that his agency purchases commercially available information.
Patel’s confirmation raised questions about how location information moves from private devices into government investigations. The data typically begins with smartphones and the applications installed on them.
Mobile apps track location to provide services such as navigation, weather updates, and travel planning. That tracking generates detailed records of where devices move throughout the day.
Nathan Freed Wessler, deputy director of the American Civil Liberties Union’s Speech, Privacy, and Technology Project, explained how this data is used commercially.
“This is one way that apps that appear to be free or low cost to us are actually making money off of us – by making our very detailed location history the product,” he said.
When users grant an app permission to access their location, that information can reach multiple companies connected to the software inside the app.
Lena Cohen, staff technologist at the Electronic Frontier Foundation, explained that when a person grants an app access to location data, companies embedded in the app’s software may also obtain that information.
Data brokers gather large volumes of location data from app developers and other sources. These companies collect information about phones and combine it with other personal data, including name, gender, health details, political preferences, and home ownership records. The industry built around collecting and selling this data is worth billions of dollars.
The Electronic Frontier Foundation has explained that data brokers can pay app developers per user to gain access to devices. That access can collect location data when the app is open, or when the phone itself is on, depending on how the software is configured.
Location information also flows through the online advertising system. When a smartphone connects to the internet, it transmits technical details, including its IP address, device type, and GPS coordinates such as longitude and latitude.
These details enter a system called real-time bidding. In this process, websites and apps auction advertising space within milliseconds after a page loads. Companies participating in the auction receive information about the users who will see the advertisement.
The information exchanged in this system is often called the “bidstream.” It can contain location data and device identifiers. The Electronic Frontier Foundation explained that participants in the ad marketplace can gain access to sensitive data about large numbers of individuals.
Data brokers use this system to gather location information at large scale. They combine location data with other information provided when users sign up for online services, such as names, email addresses, and income. Banks have also explored licensing anonymized customer data to brokers as a way to generate revenue.
Once combined, these records can create detailed profiles of individuals. Location history can reveal where a phone travels throughout the day and where it stays overnight.
Wessler explained how detailed these patterns can be.
“It’s incredibly revealing knowing where your phone goes over time,” he said.
Location data can show where someone lives, where they go after work, and who they spend time with. Phones that appear together in the same locations can reveal social connections and gatherings. The data may also reveal visits to places such as a psychiatrist’s office, a political rally, or other private events.
Data brokers obtain location data through multiple sources. One reported example involved a broker that purchased location data from Muslim prayer and dating apps before the information reached the U.S. military, according to reporting by Vice.
In another case, the French data protection regulator inspected a company called Vectaury in 2018. Vectaury acted as an advertising intermediary for mobile apps. Regulators found that the company had built a database containing personal data from 67.6 million people without proper consent.
Data brokers sell or license their databases to many clients, including government agencies. Lawmakers have raised concerns that the same information could also be sold to foreign governments seeking ways to monitor U.S. citizens.
Federal agencies have already used purchased location data in investigations. In 2020, the Wall Street Journal reported that the Department of Homeland Security used location information to find undocumented immigrants and others who might be entering the United States unlawfully. The data was also used to identify cellphone activity in unusual areas, including remote desert stretches along the Mexican border.
Earlier this month, 404 Media reported that an internal U.S. Customs and Border Protection document showed the agency used location data from the online advertising industry to track phone locations.
On March 3, congressional Democrats called for an investigation into warrantless purchases of Americans’ location data by Immigration and Customs Enforcement and the Department of Homeland Security. The lawmakers cited a 2023 report from the DHS inspector general that found ICE’s data purchases were illegal. The program was shut down in 2023.
Location data is also used through specialized tools developed by surveillance companies. In January, 404 Media reported that Immigration and Customs Enforcement purchased access to software supplied by cybersecurity company Penlink.
The agency bought access to tools called Tangles and Webloc. These tools can monitor large numbers of people simultaneously.
Webloc identifies smartphones present in a specific area during a specific period. After identifying the devices, the system can follow their movement during the day and track where they travel before returning to their home location at night.
Penlink does not publish detailed explanations about how the system works. A marketing page that was later removed described Webloc as automatically analyzing “location based information” gathered from “endless digital channels from the web ecosystem.”
Reporting by Forbes stated that the system can combine information from several sources, including social media, to produce a real-time view of events. The Texas Observer reported that Webloc can enable “warrantless device tracking.”
Several federal agencies have purchased location data from brokers, including the Department of Homeland Security, Customs and Border Protection, the Secret Service, and the Internal Revenue Service.
Private organizations have also used similar information. Anti-abortion groups have used location data while targeting individuals visiting Planned Parenthood clinics.
Legal debate over the practice continues. The Fourth Amendment protects people from unreasonable searches and seizures without probable cause. Legal scholars have pointed out that the amendment does not regulate transactions conducted through open markets.
Dori H. Rahbar wrote in the Columbia Law Review that the Fourth Amendment does not regulate open market transactions. Aaron X. Sobel wrote in the Yale Law and Policy Review that buying data in this way amounts to “end-running warrants.”
Privacy advocates argue that legislation is needed to close this gap. The Electronic Frontier Foundation supports legislation called the Fourth Amendment Is Not For Sale Act, which would require government agencies to obtain a warrant before purchasing sensitive personal data.
Until federal privacy laws change, large amounts of location information will continue circulating within the data broker industry. The Electronic Frontier Foundation has published steps individuals can take to reduce data collection.
The organization recommends reviewing which apps have location permissions, disabling location access when possible, limiting apps to accessing location only while they are open, or switching from precise location to approximate location.
It also recommends disabling the mobile advertising ID on smartphones. The identifier helps location data brokers combine information collected from different apps.
Wessler said many people may not know how to take these steps or may never encounter the instructions.
“So the real answer is that Congress needs to step in,” he said.
