return to table of content

Senator Wyden Letter Confirms NSA Is Buying US Persons' Data from Data Brokers

lumb63
82 replies
9h15m

It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation, if not in letter, then in spirit, of the fourth amendment. I’d like to see an amendment to the Constitution to update the fourth amendment for the modern era, where a huge amount of information can be gathered about people without “searches and seizures”. The general issue of data collection is obviously one of the largest of our time, but I think most people would agree our own government should not be using our money (or debt) to legally circumvent our rights.

JohnFen
22 replies
8h5m

where a huge amount of information can be gathered about people without “searches and seizures”

Although in my opinion, the vast majority of this data collection and use absolutely counts as "searches and seizures" -- just by private corporations rather than the government. Which, in my view, is worse than if it were just the government.

cj
14 replies
7h53m

I think there needs to be some kind of "responsible and clear disclosure" laws that require companies to very clearly and overtly disclose what data they're collecting and how they're using it.

Some kind of standardized "label" (something like the standardized nutritional facts on food products) that is easy for consumers to read and comprehend, not buried in pages of paperwork, without needing to read a 20 page TOS / Privacy Policy.

The legal problem is everyone is "consenting" to data collection by accepting a TOS which protects companies and makes it "legally acceptable". The real problem that needs solving is consumers are rarely aware of what they're consenting to. Companies might not hoover up and sell as much data if they were required to clearly tell everyone they're doing it.

Basically, let's get rid of this idea that agreeing to a 20 page TOS / Privacy Policy is legally binding when < 1% of people actually read what they're agreeing to.

Eji1700
8 replies
7h42m

I honestly don’t think this would work. The number of “well why should I care if they have the data” conversations I’ve had is just depressing.

cj
7 replies
7h35m

We can't force people to care about privacy. That's not the goal. If someone is clearly informed and they still don't care, that's totally fine. The problem is people aren't being clearly informed.

thfuran
5 replies
7h26m

No, the problem is that they don't really have an alternative. To give none of your information to banks, email providers, ISPs, cell service providers, etc. is to remove yourself from society.

lumb63
1 replies
5h34m

I’m not sure of your personal skills, abilities, and background, so this is more of a general call to action: Why not create an alternative?

I’ve often heard people talk of a lack of alternatives to certain services, so they use them begrudgingly, or boycott them at large personal cost. But it doesn’t have to be this way. There is nothing that I’m aware of that says banks or digital service providers need to collect any more information than is necessary to provide the service they offer. It seems to me that, at least in a this niche community there is a desire for privacy-respecting products and services. A company that oriented itself around meeting that demand would be, I suspect, very lucrative.

thfuran
0 replies
5h10m

There is nothing that I’m aware of that says banks or digital service providers need to collect any more information than is necessary to provide the service they offer

And what about all the information that is necessary to provide the service they offer, like the real-time location of everyone's cell phone and who calls who when and for how long or all the DNS requests? Sure, a company doesn't have to retain this information and market it for resale, but providing these sorts of services necessarily entails access to a lot of information that most people would consider private, but which the third party doctrine says isn't.

JohnFen
1 replies
6h31m

the problem is that they don't really have an alternative.

In situations where there isn't an alternative, consent is impossible.

20after4
0 replies
6h2m

Companies, courts, and for the most part the congress, obviously don't seem to care. (In the USA, at least. Europe sort of seems to care but even then I'm not sure the solutions have been adequate / appropriate)

20after4
0 replies
6h3m

This is the key right here. There should be a clear way to withhold consent because implicit agreement isn't good enough for the kind of data collection and aggregation that is happening.

godelski
0 replies
3h17m

If someone is clearly informed and they still don't care, that's totally fine.

Let's be honest here, how many people are "clearly informed?" That's fuzzy definition. I'll give a personal example here[0]. Certainly the implications here are operating through fairly abstract and indirect mechanisms (it's even called "metadata") and most people are not trained to operate within these types of frameworks.

FWIW, no one seems happy with the situation but feel that they have no choice in the matter. It's said that you can choose not to use said service, but often the implication of that means no phone, no internet, no computer (at least non-linux), no bank, etc. There may be a literal choice available, but not a reasonable choice. I think we need to have a clear distinction between these two, because the literal choice is often used to justify something that would have major impacts. I think it is difficult to argue that one could create a reasonable and relatively average modern life with no access to phone, internet, or computer. It also then clearly becomes "well I'm forced to share with x people, so I guess I'll share with y" and often x is "the government" (even if it isn't).

[0] I've on several occasions had conversations with my family where they've been convinced that their phone is listening to every conversation they have (this dates back to 2010 btw but continues today) because they were served ads for something they were talking to about with a friend, in person. They are convinced that is the only way that such an inference could be made rather than through knowledge that the friend made the purchase (recently), that the companies know these two people are standing right next to one another for an extended period of time, and have a decent knowledge of their interests to infer that this product would be likely discussed by these two people. Ironically the recording is more complex, but it appears simpler. Sure, setting is different in 2023+ but we know the compute costs to process every conversation and energy requirements to be always recording and that this would kill phones of the 2010's.

JohnFen
2 replies
7h42m

The real problem that needs solving is consumers are rarely aware of what they're consenting to.

Right, which means consent was never actually given. In order for it to be consent, you have to be fully informed of and understand what you're being asked to consent to, and there has to be a realistic and meaningful way to withhold that consent.

godelski
0 replies
3h40m

you have to be fully informed of and understand what you're being asked to consent to

This really makes it seem like only a very limited set of contracts would actually be legal.

To me a big problem we have is that we act as if there is a fair "fight" between a mega corporation with a expensive team of lawyers, expert psychologists, and supercomputers against ... my gandma who googles to get to google. I think we all know that nearly no one reads pretty much anything they sign and if they did it is not clear that they are fully informed, understand, or are not under pressure (clear case might be medical consent forms authorizing something like a emergency surgery. I'd find it impossible to convince me the person signing was well informed and not under duress. I'd rather case like that revolve around expert of doctors determining if an action was reasonable to another doctor rather than have anything to do with a patient or surrogate signing a document. Seems to just waste time).

It really would be great if the crack team of lawyers was required to put terms and conditions into text that is understandable by an average person in a reasonable amount of time.

HeatrayEnjoyer
0 replies
7h20m

There's so many adults that were clearly never taught F.R.I.E.S. and it's both depressing and horrifying.

Freely Given

Reversible

Informed

Enthusiastic

Specific

20after4
1 replies
6h6m

A TOS is absolutely not a contract that people enter into fully aware of the implications.

We should have granular control over the permissions we give companies in how they use data. I don't feel it is enough to require clear disclosure of the ways a company uses data, I think they should require explicit and knowing consent from the user, and the user should have a meaningful way to withhold consent other than to abstain entirely from using any online services.

It is hardly fair or equitable, and surely should not be legal that a company can, without any meaningful way for a user to withhold their consent, declare & demand unlimited control and benefit (of/from the user's data) for any purpose whatsoever, including sharing and selling said data for a profit to data brokers who have no contractual obligation to the user once they obtain the data.

godelski
0 replies
3h31m

I'm fully with you, but my question is how you actually inform people at the power of their data? I often pressure people into chatting with me through Signal and I'll be honest, there is often a defeatist or lack of knowledge at what this data can be used for even among graduate CS students.

Honestly, I think one of the major issues is that the world is exceptionally complex these days (well, always has been, but surely there's more now). Our entire world runs on specialization but we often act as if one needs to be an expert in nearly every domain. Is not the definition of an expert someone who understands the nuances and complexities of said niche? It would then seem de facto unreasonable for people to have a nuanced understanding of practically any given subject.

Because of this, I want to question the common framing about focusing on informing people. I don't want to stop informing people, to be clear. But I think we should look for solutions that are not reliant upon people being informed, as this is clearly not a scalable nor stable mechanism for creatures with finite ̶t̶a̶p̶e̶ ̶ knowledge and finite time.

psychlops
6 replies
7h56m

Which, in my view, is worse than if it were just the government.

Consider that no matter how evil the corporation, they can't seize your property or freedom. Be careful who you empower.

kmeisthax
5 replies
7h47m

Yes, they can, and they have. What do you think Apple is, if not a government in corporate clothing?

JoshTriplett
4 replies
7h43m

Apple cannot jail you, fine you, or legally enjoin your activities.

kmeisthax
1 replies
5h45m

Their behavior against Gizmodo over an iPhone 4 prototype got really close to jailing tech bloggers.

Their technical control over the signing keys that Apple devices trust also gives them the ability to enjoin shittons of otherwise legal activity (e.g. emulators).

Apple also pays shittons to have Customs & Border Patrol lock down the US border and ban iPhone parts imports that aren't authorized by Apple. Does that count as a fine?

I'm pretty sure that's already two out of three.

JoshTriplett
0 replies
4h51m

The first and third of those are Apple trying to get a government to do something on their behalf. The second of those is attempting to technologically restrict activities you can do with an Apple device, not legally restrict your activities in general. Apple still doesn't have the legal authority of a government, nor should it.

JohnFen
1 replies
7h41m

US history is full of examples of private corporations doing exactly this.

psychlops
0 replies
7h23m

Are you saying that this is still done today or just bringing up an interesting historical fact?

tantalor
10 replies
8h26m

They also use this to solve cold cases by scanning genetic databases for near matches.

https://www.nytimes.com/2018/10/15/science/gedmatch-genealog...

EasyMark
8 replies
8h0m

another thing that should also be illegal. You shouldn't be able to use a 3rd party (company) to break the law (4th amendment)

the_doctah
5 replies
7h55m

Problem is if they make it illegal now you would pretty much have to release at least 2 horrible prolific serial killers

ilovetux
2 replies
7h36m

It seems to be coming out that DNA evidence is not as reliable/accurate as we have been led to believe, so yes if the evidence was illegally obtained and of questionable veracity then we should release anyone who was convicted as a result. If blame for the whole situation is required, blame the overzealous prosecutors who raced ahead with flimsy, pseudo-scientific evidence.

tzs
1 replies
6h32m

I don't think that they used the DNA from the databases to convict the people in these cases. I think it was more like this:

• They've got a serious crime, like a serial killer, but no real suspects. They do have some DNA that is almost certainly from the criminal but it does not match any DNA they have on file.

• Years later they compare that DNA to DNA in some large DNA database that is not focused on criminals.

• There are no matches that indicate that the criminal's DNA is in that database, but there are several matches that indicate people who are relatives of the criminal.

• They can then look at assorted public records to find people who are related in the right way to some of those relatives.

• Among those people, some previous person who either never was a suspect originally or a very weak suspect comes up. They then take a thorough look at any records can find about that person's activities at the times of the crime and find that they were actually connected to most of the victims and in the right places at the right times to be the criminal.

• That gives them enough evidence to compel a DNA sample from that person, or they start watching the person and get a DNA sample from something like a discarded napkin or cup that the person unwisely discarded in a public trashcan. That sample matches the samples from the crime scene.

• It is that latter sample, and the records of the person's activities and relationships with the victims, that form the bases of the conviction.

EasyMark
0 replies
5h48m

The point is they absolutely shouldn't have the ability to do blanket searches of DNA banks. That was my point. If they have a warrant for a killer's DNA and that person has sold DNA to 23 and Me then fine, go check his particular file. That would be kind of pointless since they could just force that person to give up their DNA with a specific warrant, but whatever. They should not be able to do pattern matching on the whole DNA database to fund an unknown killer. That would be violating my 4th amendment and 5th amendment rights because they don't have a warrant to check my DNA

psychlops
0 replies
7h44m

Trample on the rights of hundreds of millions or release a few serial killers? I'd take the greater good option.

EasyMark
0 replies
7h3m

I hate that, but that's for the greater good. We could prevent virtually all crime if we were all required to be under video, GPS, and audio surveillance at all times and only be permitted to leave your home to go to work or shop for basic goods, otherwise face a lifetime in prison. However, that goes against common sense and agreed upon basic human rights. You should be free of government/police surveillance unless there is a warrant with very specific and limited conditions and parameters, I feel that is the spirit of the 4th amendment and bill of rights in general.

gur48
1 replies
7h25m

another thing that should also be illegal. You shouldn't be able to use a 3rd party (company) to break the law (4th amendment)

"Should" - based on what legal or even rational basis? Or just your personal and subjective "feelings"?

EasyMark
0 replies
6h57m

basic interpretation of the 4th amendment. It's basic logic. The Bill of Rights was written for a reason, and written to be understood easily by everyone, rather than needing to dig through thousands of lines of laws and legal precedents that only lawyers could interpret.

hammock
0 replies
7h15m

Can’t you give a false name when you submit your DNA to those ancestry services?

caseysoftware
10 replies
7h52m

This goes back to Third Party Doctrine.

It's the premise that once you give up data to a third party, you no longer have any "reasonable expectation of privacy" so therefore it's not a search.

There is similar case law backing up searching your garbage can. While it's up against your house (aka still under your control), you have rights to it.. once you put it on the street for the garbage truck to collect, you've surrendered those rights.

I'm NOT saying this is good or what I like - specifically, I hate it - but it's how it currently works under US case law.

Therefore, to change things, we need Congress to write new laws and/or new Amendments. Our opinions of "how it should be done" are irrelevant unless backed by the law.

kmeisthax
4 replies
7h39m

The funny thing is, when it comes to freedom of speech, the courts made the opposite decision with the State Actors doctrine. If the government wants to censor you, they can't reach through a private institution to do it. But the Third Party Doctrine says they can reach through a private institution to search and seize your property.

This is an arbitrary distinction chosen purely by judicial fiat. There was no democratic movement to strengthen 1A and weaken 4A/5A in this manner. Ergo, we shouldn't necessarily have to get Congress involved just to fix this weird inconsistency in caselaw. The courts have an understandable aversion to "legislating from the bench", but if you've already done so, I think it's fine to at least fix obvious mistakes.

voxic11
2 replies
7h29m

I don't think the courts or the companies which hold your personal data consider you to have any property right to that data (beyond the intellectual rights you may have via any copyrights, even if you count those much personal data like your location history or your DNA isn't copyrightable). Imo when the government receives a copy of your personal data from a third party they aren't "taking your property" any more than I would be if I took a photograph of your house.

How do you imagine property rights for personal data to work? Even in places like the EU with stronger rights/protections around personal data they don't try to fit those rights/protections into the existing framework of property rights because they are so different.

caseysoftware
1 replies
7h21m

We don't have to imagine, we can read their TOS.

We continue to "own" the data, but we've given them a worldwide irrevocable unlimited license to do what they want, limited only by local law.. hence why I put "own" in quotation marks.

voxic11
0 replies
7h9m

Well that is in regard to any copyrighted material you may give them. But for uncopyrightable things like data from a heart rate sensor, or your shopping history on amazon, you can only ever own the physical objects the data is manifested in, not the data itself. And any company will definitely tell you that you have zero property rights over the actual storage devices in the datacenters where your data happens to reside.

bpt3
0 replies
7h18m

There's a major (and important) distinction between the two scenarios.

The State Actors doctrine says that the government can't hire someone to do something on their behalf that they're not allowed to do.

Under the Third Party Doctrine, they aren't searching and seizing your property in this case, as your data is no longer your property since you gave it to that third party already.

If the government was paying Neustar (or whomever) to go acquire this data on their behalf, it would be an issue under current law. But buying something that was handed over willingly* is a different issue.

*the article makes a valid point that many people are unaware they have agreed to hand this data over to a service provider, which is something that should be addressed IMO.

You might not agree with it, but it's not an "obvious mistake" and it's not a "weird inconsistency" in caselaw.

Eji1700
1 replies
7h43m

Yes but I think the courts would instantly shoot down having the NSA collect everyone’s garbage and sift through it for anything incriminating

monocasa
0 replies
7h34m

There's no expectation of privacy for garbage, and no fourth amendment protections for it. That's why dumpster diving remains legal as long as you don't break since other law like trespass in the process.

voxic11
0 replies
7h32m

Yeah certain information held by third parties is already protected by statute such as video tape rental or sale records, or emails held by a service provider for less than 180 days. There really isn't a reason why congress couldn't expand similar provisions to all or most personal data held by third parties.

https://en.wikipedia.org/wiki/Video_Privacy_Protection_Act https://en.wikipedia.org/wiki/Stored_Communications_Act

electrondood
0 replies
4h55m

I'd wager you could argue that it's not possible to participate in society without internet services, and that it's not possible to use internet services without divulging personal data.

It's practically impossible to avoid giving your information to a 3rd party.

Projectiboga
0 replies
6h13m

There is a whole subject called Garbology.

https://en.wikipedia.org/wiki/Garbology

ajross
10 replies
8h33m

It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation

The fourth amendment is a prohibition on UNREASONABLE searches and seizures. What possible definition of "reasonable" would exclude "legally purchased on the open market"? What other perfectly reasonable techniques would you deny to law enforcement? Should they not be able to look at someone's LinkedIn? Look up their address in a phone book?

No, the constitution isn't going to protect you from the government doing what everyone else can. If we want this stuff not to be available for sale, we should regulate it.

prpl
2 replies
8h17m

Going a step further, they can just pay another middleman to do the analysis and write up reports to generate information to execute reasonable searches and seizures.

EGreg
1 replies
7h53m

Actually, they can allow an entire free market of investigators to pop up and then pay them to do things. Like NHS does with doctors.

In fact, we can remove the government from the equation altogether and have a free market

__MatrixMan__
0 replies
7h38m

That might be a good move, because this government is feeling kind of stale, but I think we'd pretty quickly realize that free markets want some things that are worth preventing and a government would emerge to keep them from turning all roads into toll roads and other such excesses.

lcnPylGDnU4H9OF
1 replies
8h23m

No, the constitution isn't going to protect you from the government doing what everyone else can.

That's actually it's literal intended purpose as far as I can tell. For example, my employer can make certain demands of my speech or otherwise punish me for my expressed opinions, while such behavior is explicitly forbidden from the government by the constitution.

ajross
0 replies
7h52m

That's true of the text of the first amendment, because that part is clear and unqualified ("congress shall make no law") as clearly the framers felt it was important not to be misunderstood.

Why do you think the word "unreasonable" is even in the text of the fourth then, if not to clarify that the government IS allowed[1] to do normal/legal/reasonable/whatever research?

I'm not saying you shouldn't be offended that this stuff is being gathered about you. I'm saying the constitution isn't going to protect you and you need to vote for candidates (Wyden's an excellent one!) who will pass laws to do that.

[1] Because of course it is. Again, police work requires information gathering!

c0pium
1 replies
8h18m

Who are you more concerned about being able to query your LexisNexis report, the NSA or the domestic terrorists?

Unfortunately many (most?) people on here are in the advertising/data merchant business. You will never convince someone to understand a thing if their livelihood depends on them not understanding it.

__MatrixMan__
0 replies
8h7m

I don't know about the rest of you, but when it comes to

- Having enough money to retire into a dystopian hellhole that I spent my younger years creating

- Making some hard decisions now so that I can have an average life in a functioning society later

I'd prefer the latter. But conveniently, it's not HN that we need to convince to reign in advertising, it's the House and the Senate, and their voters are plenty suspicious of "big tech" whatever that is.

And yeah, much more worried about the NSA than terrorists.

troyvit
0 replies
7h26m

Wyden's letter[1] is a lot more targeted than the Techdirt article. The letter says this:

"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,"

and refers specifically to an FTC order[2] that prohibits the government buying data from a specific shady broker (X-Mode Social).

He summarizes the letter on his own site without the editorializing that honestly I love so much about Techdirt.[3]

On a side-note, according to Wyden, 'Through this case, the FTC announced that Americans must be told and agree to their data being sold to “government contractors for national security purposes,” for the practice to be allowed.' I don't know how that's enforceable given how many hands user data goes through. Most organizations that suck that data up sell it to several third parties who can then sell it to whoever they want. All the NSA has to do is go a few steps down the chain.

So it doesn't matter. The NSA will continue, as you noted, to lawfully buy this data from third parties who are slightly less sketchy than X-Mode Social (what a name) and the FTC's toothless rule won't change a thing.

[1] https://www.wyden.senate.gov/imo/media/doc/signed_wyden_lett...

[2] https://www.ftc.gov/news-events/news/press-releases/2024/01/...

[3] https://www.wyden.senate.gov/news/press-releases/wyden-relea...

lumb63
0 replies
4h47m

I see your point. Data collection is required to some degree to, e.g., prosecute criminals. Any agency tasked with law enforcement would use all means at their disposal to do that, and legally purchasing data on the open market does seem reasonable. I agree with you that the Constitution and laws as they are today are unlikely to find any issue with the practices in place. However, my interpretation of the spirit of the fourth amendment is that Americans should not have to tolerate their government (or its agencies) infringing on their privacy unless they are suspected of having done something wrong, which is why the purchase of data from data brokers seems wrong to me.

Personally, I would deem such means permissible to investigate someone suspected of having committed a crime. Where I find issue is the widespread use of such techniques to monitor for crimes, since they come at such a large cost to personal privacy, and are searching for a needle in a haystack. Millions will have their privacy compromised so that maybe a single criminal can be caught, and personally, that cost is too high. I understand some folks might disagree that, but I hope Sen. Wyden, and others who join forces with him or follow him, will continue to represent that idea, and pursue legislation to codify it in law.

abofh
0 replies
8h3m

While I get your point, the constitution is fundamentally _about_ hamstringing the government in ways you're fully allowed to privately contract away. It's about saying the government may pass any and all laws within these guidelines -- that's why you can shout fire at the top of a mountain and nobody cares, but in a privately owned theater it's not a free-speech issue.

Or something like that - point is, if it wasn't doing anything wrong, why was it obscuring that fact through classification and NDA's until now - when as you say - it's public data that the government would (in your theory of constitutional law) be entitled to purchase?

cyanydeez
8 replies
9h8m

seems to me, the upstream problem is data brokers.

nonethewiser
3 replies
8h40m

But upstream of that is people volunteering their personal information.

HeatrayEnjoyer
1 replies
7h25m

The vast majority of people have not given informed nor enthusiastic consent to these practices.

bpt3
0 replies
7h12m

That's not the standard for engaging in a commercial transaction, and never will be.

JohnFen
0 replies
8h0m

I don't think this is true for most cases. I have not volunteered or given consent for the collection of most of the data about me on these markets.

zer00eyz
2 replies
8h58m

You're not wrong, but the implied solution of no data brokers is gonna be a bad thing.

The information is out there, it's stupid easy to correlate and collate it. It's even easier to use that to do something profitable.

Getting rid of data brokers, making them not exist just makes a gray market for the information, one that is just as lucrative and is going to be untaxed and unregulated.

641a was the moment privacy died. We're not getting it back. We need to come up with a better method/idea...

candiddevmike
1 replies
8h46m

We need data collection laws similar to HIPAA breaches that render data collection akin to storing nuclear waste. I'd like to see this apply to aggregate data mining too, so we can get rid of things like the Topics API.

GartzenDeHaes
0 replies
8h28m

HIPAA allows your medical information to be widely shared without your consent. It just requires the many holders of the data to implement some security controls.

https://www.healthit.gov/topic/interoperability/how-hipaa-su...

toolz
0 replies
8h58m

There are multiple problems here, but only one of those problems works for the US people. It's clear to me which problem should be most easily addressed with the highest impact for the effort.

We're talking about the difference in trying to influence arbitrary third parties behaviors and the difference in trying to influence the behavior of your own employees.

kube-system
5 replies
6h22m

It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation, if not in letter, then in spirit, of the fourth amendment.

It is and always has been legal for other people to volunteer information about you to the police. Doesn't matter if they're operating a business or not.

I can call the police right now and tell them that lumb63 posted a comment on HN at 2024-01-30T14:14:13. If I had more detailed information, I could tell them that too, and they could legally listen to me. I could tell them literally anything that I know about anyone.

Why would that be illegal?

This situation doesn't have anything to do with the 4th amendment. The 4th amendment prevents the government from forcibly taking information.

godelski
4 replies
5h55m

The parent understands all that, you do not need to repeat what they said themselves.

Times change, so do effects and outcomes. Laws don't have to be fixed for eternity. It would be really dumb if they did. Fortunately a system was designed to update laws in accordance with a dynamic environment.

kube-system
3 replies
5h36m

No, I am disagreeing with what they said. The 4th amendment is not the issue. It is and should continue to be legal for people to tell the government whatever they want.

The problem here is a lack of regulation for the companies that collect this data. Forget the government, data brokers can sell to anyone they want -- a stalker, someone looking to do harm to you, etc. People are harassed, robbed, cheated, scammed, and physically harmed using this information on a regular basis.

godelski
2 replies
3h53m

I understand you are disagreeing. They understand that the 4th Amendment doesn't offer these protections but made a claim that it does "in spirit."

It is and should continue to be legal for people to tell the government whatever they want.

You're right, but that's not what's happening here. What's happening here is one of 2 things. 1) Government initiated: seeks out and requests information from others and in this case, offering payment. 2) Information holder initiated: who is specifically offering information in exchange for compensation. This is more akin to walking into your police station and saying "I have crimes to report, but I will only do so if you pay me first." Obviously this has perverse incentives and I think we can see how this can clearly be abused to circumvent any requirements for warrants or other such due process.

I do agree that this situation is in violation of the __spirit__ of our legal system. Clearly a loophole is de facto not in spirit. Whether that is a 4th Amendment or not, idk, IANAL and neither is the OP and I assume neither are you(?). 4th Amendment seems pretty reasonable to point to considering it mentions warrants and this practice is being done explicitly to circumvent warrant requirements. But clearly we all understand what is trying to be communicated here, and that's the point. I wouldn't have made such a comment if you mentioned explicitly third party doctrine (as casey did an hour before you) or cited some law which added clarity to the situation. But yes, everyone knows you can just freely go tell the police about a crime you witnessed. I'm not sure who does not understand this. I would be extremely surprised if anyone actually believed it was illegal to report crimes to authorities and immediately question their mental capacity. But I guess we disagree at what constitutes basic and obvious knowledge.

kube-system
1 replies
3h8m

It doesn't violate the spirit of the 4th, nor is it a loophole. The 4th is not a prohibition on the government collecting information, nor is it a data privacy law. The 4th is about preventing the government from abusing their power to compel. Volunteered information isn't compelled by definition, so it is fine. This was the case then and it is the case now.

1) Government initiated: seeks out and requests information from others and in this case, offering payment. 2) Information holder initiated: who is specifically offering information in exchange for compensation.

Like a wanted poster and a bounty for information? These existed when the BoR was written. They weren't prohibited by the writers because the writers didn't have an issue with it. The 4th isn't a "government can't know anything or can't ask anything" rule, it's a "government can't bust down your door for no reason" rule.

I wouldn't have made such a comment if you mentioned explicitly third party doctrine (as casey did an hour before you) or cited some law which added clarity to the situation. But yes, everyone knows you can just freely go tell the police about a crime you witnessed. I'm not sure who does not understand this.

The example I gave was a practical illustration of how silly reality would be if third-party-doctrine wasn't a thing.

lumb63
0 replies
0m

I see your point regarding wanted posters and providing bounties for info on criminals. What’s going on with the intelligence agencies buying data from data brokers is definitely similar. However, it seems to me that the scale of what is going on at present is much larger; it is likely akin to having a wanted poster and providing bounties for any info on all people, criminal or otherwise. The vast majority of people whose data is being provided are probably innocent and not suspected of any crimes at all, nor will they ever be. And, as you say, the fourth amendment is a “government can’t bust down your door for no reason” rule. It seems where we differ is that I interpret (as does the U.S. Supreme Court since Katz v. United States) the “bust down your door” part to mean much more than my physical door, which is why I find that it violates the “spirit” of the fourth amendment: in my mind, an amount of privacy that it is reasonable to expect (e.g. what entities a person is communicating with over their own internet connection) is being denied by the government to perhaps all citizens using the Internet.

It sounds like we agree that the amount of data being collected on people via the internet is way too much and should be restricted. I think that regardless of whether or not stopping the government and its agencies from purchasing such data is or is not in keeping with the spirit of the fourth amendment, we will need legislation to protect the privacy we want from the government, and definitely from corporations. Let’s work toward that end.

BobaFloutist
4 replies
6h57m

It seems to me that the government accessing, even if by purchase, information > of citizens without probable cause is a violation, if not in letter, then in > spirit, of the fourth amendment.

On the one hand, I fully agree. On the other hand, I also agree with the intuitive argument that it's very strange to let private corporations surveil and gather, buy, and sell information about citizens to exploit for profit, but then say that the government can't buy that same information for law enforcement and national security.

It feels wrong to say that it's fine for someone with only a profit motive to use private data in small, petty ways to extract more profit from someone that's already paid them, but that the duly elected representative government can't use it for big, important things. Or, if law enforcement and national security are too fraught, what about, say, public health policy?

The obvious answer is that corporations shouldn't have access to it either, but that's a much harder sell, and so we're in this weird limbo.

w4
3 replies
6h47m

It feels wrong to say that it's fine for someone with only a profit motive to use private data in small, petty ways to extract more profit from someone that's already paid them, but that the duly elected representative government can't use it for big, important things.

We make this distinction all the time in areas like speech and searches, for good reason. The government is the only entity with near-omnipotent power over you. Corporations may be powerful, but they are ultimately restrained by the government’s monopoly on force; the government has no such restraints because it has the monopoly on force. It’s therefore reasonable and prudent to have different, more stringent rules for the government. If someone working for a corporation doesn’t like you, they can’t kill or imprison you (legally). Not so for the government.

With that being said, whether or not anyone at all should be allowed to collect or use this data is also a totally valid topic for discussion and disagreement.

BobaFloutist
2 replies
6h11m

If someone working for a corporation doesn’t like you, they can’t kill or imprison you (legally). Not so for the government.

Someone working for the government can't legally kill or imprison you because they don't like you either.

w4
0 replies
5h26m

Someone working for the government can't legally kill or imprison you because they don't like you either.

In developed democracies, if you are a citizen, because of the tight restraints put on government power.

Those restraints are, historically, a very new idea, and they are hardly universal even today: https://en.wikipedia.org/wiki/Enforced_disappearance

savanx
0 replies
5h33m

There are 30 people in certain Bay in Cuba who would disagree with that statement.

mechhacker
1 replies
8h18m

That and the third amendment for stationing a "soldier" (tracking and data collection) in our home (phone). And it needs to be extended to monopoly involuntary "private" entities with known federal sweetheart deals.

gur48
0 replies
7h24m

The same phone you voluntarily purchased, brought into your home and agreed to the terms of service on?

gur48
1 replies
7h33m

"Rights" - even those enshrined in the Bill of Rights - are trampled on daily.

Try traveling with a concealed firearm across state lines. Or telling a K-9 police officer they can't search your car after the dog has alerted. Or use your free speech privilege to spread alleged vitriol.

There's no such thing as "rights" - only what individuals can defend in the current place and time they're in.

tastyfreeze
0 replies
7h6m

Or simply having the audacity to travel on an airplane.

There's no such thing as "rights" - only what individuals can defend in the current place and time they're in.

I suppose that is the way it always has been. When the government was small people just didn't care what they were up to. The people became complacent and allowed a beast to grow. If the rights we are supposed to have keep getting trampled on revolution is inevitable. It may take a long hellish time to happen but that is one fork in the path we are on.

tootie
0 replies
7h59m

I doubt it. The data collected by brokers is going to all be indemnified by whoever collected the data. If they have all have posted privacy policies that include data collection and dissemination then it's fair game. I'm not sure the policies would even need to be airtight so long as the NSA and data brokers acted in good faith that they believed the policies were sound.

nonethewiser
0 replies
8h41m

It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation, if not in letter, then in spirit, of the fourth amendment.

Tragically the 4th amendment is kinda narrow. I would definitely appreciate some additions which enshrine a more specific right to privacy. Protecting against "unlawful" searches (AKA you have to take the case to court afterwards) is far to close to meaningless. Feels like the 4th amendment is about 10% as powerful as it should be.

jrmg
48 replies
10h5m

I don’t really understand why it’s so much more controversial that agencies are buying commercially available data than that the data is being collected and made available to anyone that will pay in the first place.

oatmeal1
19 replies
9h39m

It should be obvious. The government can use information to prosecute people. Corporations can't. The government is much less accountable than corporations for malicious behavior due to sovereign and qualified immunity.

austin-cheney
13 replies
9h38m

NSA is not law enforcement, neither is the Census Bureau and they do not require a warrant either even though they collect far more data.

monocasa
6 replies
7h29m

Sort of

CONCEALING A TIP

One current federal prosecutor learned how agents were using SOD tips after a drug agent misled him, the prosecutor told Reuters. In a Florida drug case he was handling, the prosecutor said, a DEA agent told him the investigation of a U.S. citizen began with a tip from an informant. When the prosecutor pressed for more information, he said, a DEA supervisor intervened and revealed that the tip had actually come through the SOD and from an NSA intercept.

https://www.reuters.com/article/idUSBRE97409S/

austin-cheney
5 replies
6h59m

The problem did not occur at the NSA, because the NSA is not law enforcement, but at the DEA which is law enforcement. The DEA should have applied for a warrant and immediately notified their attorneys of the evidence source.

timschmidt
4 replies
6h56m

That is expecting the fox to watch the hen house.

austin-cheney
3 replies
6h45m

It is expecting the DEA to do their jobs so that a half competent defense attorney does not invalidate the evidence.

timschmidt
2 replies
6h41m

While you've been expecting that, they've been doing this: https://en.wikipedia.org/wiki/Parallel_construction

austin-cheney
1 replies
6h34m
timschmidt
0 replies
6h31m

A good defense attorney would get that tossed.

Sure. Easy to object to something secret, which has a carefully crafted cover story. My defense attorney is psychic too. /s

anon291
4 replies
9h33m

It is the government though and the law makes no distinction.

austin-cheney
3 replies
9h27m

It does. If a person’s rights are not violated there is no cause to limit government access, at least according to the fourth amendment.

guhidalg
1 replies
8h58m

Let me rephrase what you said in a way that makes it clearer:

The government can do anything that is legal.

I people believe purchasing data is a violation of the 4th amendment and it may not yet be illegal but it should be.

anon291
0 replies
5h22m

The government can do anything that is legal.

That's true, but the federal government has a limited number of things it can do, as specified in our memorandum of understanding between the people of the united states and the federal government. That ought to be the framing under which all federal actions are seen.

To put it another way, for individuals, unless something is illegal, you are entitled to do it. Whereas for the federal government, everything is illegal except that which was made legal.

alan-hn
0 replies
9h0m

Rights are being violated simply by the government accessing the information

timschmidt
0 replies
8h3m
bearjaws
3 replies
7h59m

Credit report crashes 400pts due to them finding what you said on a forum when you were 14

no judge, jury or trial

try to live in America

I'd argue corporations persecute people far more often than the government does. e.g. when credit bureaus find out you have cancer your credit score drops at least 100pts.

oatmeal1
0 replies
7h20m

Examples can go back and forth. Government can unilaterally confiscate your property via civil asset forfeiture and make you prove it was obtained legally.

Government has been evicting people as collective punishment for crimes: https://www.youtube.com/watch?v=3FMZFwnBCbU

Not to mention the government is the one licensing the banks to create money through fractional reserves/the reserve ratio. That's why you're on an inflation treadmill where assets are constantly inflating in price to the point where you need a loan to make big purchases.

gruez
0 replies
6h5m

e.g. when credit bureaus find out you have cancer your credit score drops at least 100pts.

source?

EasyMark
0 replies
6h46m

The simple fact is the Constitution is there to protect you from the Government. I personally think the government can basically shoot you in the face without repercussions and not face much of an issue with the right coverup; it's a lot harder for corporations to get away with that in any legal way. Sure they can ruin your reputation via credit or whatever, but they can't pitch you in a dark cell for forever, nor do they really have much incentive to do that, unlike the government. Corporations are not the government, if you want to limit their powers then get laws passed that are a mirror of the constitution except for corps instead of the government; until then you can't say corporations and the government are the same or that corporations are as bad as the government.

JohnFen
0 replies
7h57m

The government is much less accountable than corporations for malicious behavior

I disagree with this assessment. I think it's the other way around -- corporations are held much less accountable than the government.

But neither are being good actors here.

macspoofing
6 replies
9h39m

The government is supposed to play by different (more constrained) rules because it has a monopoly on force.

I don't know what the legality of the NSA buying private data is, but it feels like it violates the spirit of the law that says they shouldn't be spying on their citizens.

ilovetux
2 replies
7h32m

it has a monopoly on force

I don't think this is true. These guys are still around[0] even after garnering their bad reputation.

[0] https://pinkerton.com/

ilikehurdles
0 replies
7h26m
banannaise
0 replies
6h18m

They can only operate as such because the state turns a blind eye. It is no coincidence that they tend to be hired by parties that have tremendous political influence, act much like private police, and have an extremely cozy relationship with the actual police.

gruez
2 replies
6h6m

The government is supposed to play by different (more constrained) rules because it has a monopoly on force.

How is this relevant when the government is purchasing the data on the open market?

but it feels like it violates the spirit of the law that says they shouldn't be spying on their citizens.

No, the spirit of the law is that the government can't use its monopoly on violence to gather evidence.

janalsncm
1 replies
4h19m

We can set whatever rules we want for the government. Whether the information is available on the open market doesn’t matter. Government isn’t a force of nature. We could say the government is only allowed to buy data on a Friday the 13th during a full moon if we want.

gruez
0 replies
2h33m

We can set whatever rules we want for the government.

But that's not what was discussed. The comment I replied to was talking about "the spirit of the law", which is separate from what the law ought be today.

treyd
5 replies
10h1m

Because Americans are so terrified of government that they can be completely okay with something terrible as long as it's private corporations doing it (and so, theoretically, you have the ability to not be a customer of that corporation) and not the government. Even if in practice your data is still being collected by that corporation indirectly or all of their competitors are also collecting and selling your data.

anon291
2 replies
9h32m

Private corporations in America regularly go bankrupt, lose tons of money, go out of business, go defunct, etc. The government does not. It's just not the same thing at all. Private corporations can be dissolved by government action. They can be handled much easier than the government.

treyd
1 replies
5h50m

When was the last time a large and entrenched corporation did something terrible to the American public and was forcibly dissolved by the government?

anon291
0 replies
5h26m

Not forcibly dissolved, but as we've seen with COVID and the recent 'woke' stuff, the public collectively punishes corporations they don't like. Even facebook is seeing a mass exodus from the platform after the election fiasco in 2016 and the ensuing controversy (which was around data privacy).

macspoofing
0 replies
9h33m

Because Americans are so terrified of government that they can be completely okay with something terrible as long as it's private corporations doing it

That's not it. I think it is perfectly reasonable to set up a government with constraints and a culture of respect for the citizenry. It isn't about trust or no trust in 'government', because government is made up of individuals, and individuals have all kinds of motivations. I generally trust the government, but I am aware that any specific policy or decision can be a corrupt action for the benefit of some individual within the beurocracy.

RobRivera
0 replies
9h52m

Oh am I?

bell-cot
5 replies
9h48m

My guess is that domestic spooks buying the data is a threat to many people's "Just Pretend"-privacy armor. If Larry's Lawn Care, Esther's Escort Service, and 47 assorted mafias and criminal gangs buy my data...well, other than more spam, what are they actually gonna do with it? (Or so I can tell myself.) Vs. the FBI & local cops & such might dig through my data and [danger music] find something, or start doing creepy targeting of me, and they are the law, with power to do whatever they want...

anonym29
4 replies
9h4m

Your "anonymized" cell phone GPS data can be used pretty easily to determine when you're not home for purposes of burglary.

Your household size and firearm preferences data can tell a rapist how easy of a target you will be.

Your genetic information can be used by insurance companies to secretly deny you coverage for pre-existing conditions, even though this is illegal.

Your genetic information could also cause you to be targeted by racists.

Your sexual preferences could be used against you as blackmail if the government or cultural moment shifts away from tolerance and they become unacceptable.

Your purchasing habits could cause you to become a prime suspect for a terrorist who used those same items in your area for a recent attack, like if your wife was buying a pressure cooker while you were buying backpacks for your kids doing back to school shopping.

I know a lot of these sound crazy, but consider this: the fact that they sound so crazy would itself make you sound less believable to others if anyone ever did victimize you any of these ways, furthering their odds of being able to perform that successfully without repercussions.

gur48
2 replies
7h21m

This is beyond paranoid. It's para-paranoid.

Your "anonymized" cell phone GPS data can be used pretty easily to determine when you're not home for purposes of burglary.

Please - PLEASE - find me ONE example of a home burglary occuring under these circumstances.

Your purchasing habits could cause you to become a prime suspect for a terrorist who used those same items in your area for a recent attack, like if your wife was buying a pressure cooker while you were buying backpacks for your kids doing back to school shopping.

This is just beyond nuts. Stop watching so much television, it's not good for your mental health.

anonym29
1 replies
5h33m

Please - PLEASE - find me ONE example of a home burglary occuring under these circumstances.

Likely not possible. By definition, these would be successful burglaries that happened when owner was not home and perpetrator was likely never caught.

Remember, the close rate on burglaries in the US is in the low teens - 13% as of 2022[1], and by definition, these were the dumb perpetrators that got caught - the 13% least competent||lucky of all home burglars.

Buying a pressure cooker and a backpack causing you to be suspected of terrorism is nuts?

Oh, you sweet, sweet, naïve summer child. This isn't fiction, it's a story from real life that's happened many times. A cursory search engine query shows numerous examples of this, e.g. this one[2] that happened over a decade ago!

I can't force you to be rationally worried about entirely plausible risks, just keep in mind that your irrational lack of concern for such possibilities only puts yourself at risk.

If I had to hazard a guess, I'd guess you're politically likely to be progressive/left wing. Do you know that's empirically correlated[3] with having less mass in your amygdala, the part of the brain responsible for evaluating threats and risks?

[1] https://www.statista.com/statistics/194213/crime-clearance-r...

[2] https://www.nydailynews.com/2013/08/01/pressure-cooker-and-b...

[3] https://www.scientificamerican.com/article/conservative-and-...

gur48
0 replies
3h31m

Wow, you sound angry and upset.

Several personal insults and as for evidence, a single "Long Island woman claims" allegation from ten years ago. Plus a political derangement twist - how exciting!

It is fascinating how insecure a person like you is capable of being degraded to by the same systems you so vehemently decry. It's analogous to being afraid of everyone on the street because they might have a black belt in martial arts.

bell-cot
0 replies
8h38m

My sense is that you did not read the comment I was replying to, and overlooked both disclaimers in my reply:

> "Just Pretend"-privacy

> Or so I can tell myself.

I am perfectly aware of every fact you noted. Repeating those facts on HN educates no one, and does nothing whatever to address the question in the prior comment.

fusslo
2 replies
9h29m

I'll take a crack at a couple possibilities

well, first, companies having this information is inherently not ok to the average person

Second, agencies are purchasing this information with taxpayer money. So we're feeding a market that we may not agree with

Third, government agencies have rules, and when these agencies skirt around the rules or find loopholes, it has a negative effect on that agency. Generally, a population wants their government to have a good reputation and agents of the government are following the rules.

Fourth, and I think this may be the most important: government agencies have the authority and power to do things private companies cannot. government agencies can launch investigations, get legal advice from prosecutors, indite, get warrants, supena, arrest, detain, etc. All are invasive, expensive, and may result in a range of bad things (from paying lawyer costs all the way up to prison).

dgfitz
0 replies
7h27m

well, first, companies having this information is inherently not ok to the average person

I sincerely disagree. The average person doesn't care. They should, but they absolutely do not. Don't fall into the hn-bubble trap.

Second, agencies are purchasing this information with taxpayer money. So we're feeding a market that we may not agree with

If I had a nickel for everything the government did with my money that I disagree with I could quit my day job.

Third, government agencies have rules, and when these agencies skirt around the rules or find loopholes, it has a negative effect on that agency. Generally, a population wants their government to have a good reputation and agents of the government are following the rules.

Generally, a population just wants to be "fat and happy" and secure. You're falling into the HN bubble trap again.

Fourth, and I think this may be the most important: government agencies have the authority and power to do things private companies cannot. government agencies can launch investigations, get legal advice from prosecutors, indite, get warrants, supena, arrest, detain, etc. All are invasive, expensive, and may result in a range of bad things (from paying lawyer costs all the way up to prison).

Sure. Otherwise what's the point?

abeppu
0 replies
5h42m

The last step of the journey we're on is when individuals taking steps to limit the data collected about them by corporations are charged with obstruction of justice because the government cannot buy enough data about them.

2OEH8eoCRo0
1 replies
8h59m

They don't want the govt to be able to do that but they also don't want to cut off the money faucet for data brokers.

Personally, I think that if data brokers have it then it is essentially public information. What makes the public information from data brokers different from other public information like your address?

conductr
0 replies
7h43m

Idk, I get your point but... Imagine a world where I could visit a site or ask a gpt to use the only thing I know about you, your apparently obfuscated HN username, and then I could track you in real time. Because it knew your username’s IP address, which then knew your phone, which then gave me a feed of your gps coordinates, which then gave me live video/audio of any networked camera/smart home device you were in view of. There would be very little shadow over you that people couldn’t watch, or record for future scrutiny. Your employer, business associates, religious groups, neighbors, etc would know everything about you. This is just the tip of the iceberg, your search history and porn viewing preferences and everything else you consider private would then be connected to the username you hide behind.

That would be a bit creepy but I wouldn’t be surprised at all if NSA had the data to build this capability. Money seems like a decent but exploitable way to keep all this data from being stitched together privately

mightybyte
0 replies
9h7m

In short, the government is special because of its broad sweeping power to make laws that impact everyone. For example, consider the first amendment: "Congress shall make no law...abridging the freedom of speech". This applies to the government but not, say, to a third grade classroom rule against using curse words. It's perfectly reasonable for a private group to ban certain kinds of speech because if you don't like it, you can go somewhere else. But much more care must be taken when you're operating in the sphere of laws and government actions.

Another way to put it...the government is the only entity in society with a monopoly on the use of force. With great power there should also be a great degree of responsibility.

bayindirh
0 replies
9h45m

It's not the action of buying the data, but the action of buying data on people you're not supposed to spy on, plus the technical capabilities of the NSA which raises the question of what the heck are you doing all this data plus the data you collect covertly with methods you don't tell, and what are the consequences of this on personal, national and community level?.

JohnFen
0 replies
7h58m

Because the government is doing this specifically to evade controls that are supposed to help keep us safe from governmental abuse.

But I do agree with your premise: it's a travesty that this data is collected and made commercially available without informed consent in the first place.

EasyMark
0 replies
6h52m

Private corporations can't imprison you (well not without government blessing) and take away your basic freedoms, the government can. Also, the Bill of Rights & Constitution is by and large meant to protect you from the excesses of government and not private citizens, regular laws are meant for that, mostly at the state and local level. That's always been the legal distinction in the USA

rblatz
20 replies
10h1m

The issue is that it’s the NSA, they’re not supposed to be investigate US citizens. They are supposed to be foreign signals intelligence.

I’d fully expect the FBI or CIA to do this. I’m not even sure it’s wrong for them to do that. At least no more wrong than anyone else that buys it in order to advertise you.

austin-cheney
17 replies
9h31m

That’s not completely correct. The CIA has the least reason to access this data as they are only charted for intelligence collection outside the US. The FBI is law enforcement so they cannot touch or view any of that data without a warrant else they could invalid all manners of data collection in many open cases.

The NSA is chartered to collect data on communications entering and leaving the US. Decades ago that was completely unambiguous but less so now. Their collection of data on Americans is not illegal depending upon what they do with it. That was the most revealing part of the Snowden releases: insider threats misusing NSA data collected on Americans for personal use.

hiatus
12 replies
8h25m

The FBI is law enforcement so they cannot touch or view any of that data without a warrant else they could invalid all manners of data collection in many open cases.

This is just plain false. It is a long-held idea in American jurisprudence that information given to law enforcement by third parties can be used so long as that information was not collected under the direction of the government. https://en.wikipedia.org/wiki/Third-party_doctrine

austin-cheney
7 replies
8h7m

In this case the information is not provided to the government. It is purchased. The distinction is the difference between an unexpected gift versus an overt act, and thus a search warrant would apply in the context of the FBI.

hiatus
4 replies
8h3m

The distinction is the difference between an unexpected gift versus an overt act, and thus a search warrant would apply in the context of the FBI.

Why would buying information you have no right to privacy for require a warrant? Police do not need warrants for generally publicly available information, and if anyone can buy this information why not police? Similar to how police do not require a warrant when they ask a phone company for records and the company just gives it to them without question.

If police ask you to search your house, you could let them or you could tell them to come back with a warrant but if you let them they can use what they find.

JohnFen
2 replies
7h48m

We need to change the legal premise that entities have the right to give up data they've collected on people without the express informed consent of those people, no matter who those entities want to give that data to.

edgyquant
1 replies
7h34m

People are consenting to this, that’s the issue. We need to change data privacy laws in general, the government buying it isn’t the real problem here it’s that it is for sale at all.

JohnFen
0 replies
6h34m

People are consenting to this, that’s the issue.

I don't think they are, by and large. At least, not "consent" in any meaningful sense.

austin-cheney
0 replies
6h53m

That is an irrelevant argument. With regard to the fourth amendment all that matters is whether the government is using that information to harm or detain somebody. It does not matter how much value you place upon that information or whether anybody should have it or not.

NSA are not law enforcement, so comparing the NSA to law enforcement results in absurd conclusions.

edgyquant
1 replies
7h35m

No this doesn’t matter, they aren’t forcing these companies to collect data they are buying data these companies collect as their business model and thus it is completely legal.

austin-cheney
0 replies
6h46m

They who?

It is perfectly valid for the NSA to buy that data, because the NSA cannot use that data in a way that violates the fourth amendment without breaking other laws.

If the FBI buys that data they need to have probable cause prior to that purchase else all the purchased information and everything resulting from that information cannot be used to prosecute cases. The reason is because defendants have a legally established expectation of privacy on certain electronic communications such as email.

lcnPylGDnU4H9OF
3 replies
8h0m

I think many people would take issue with the claim that most information is given voluntarily. How many people even know that their car connects to cell towers, which allows for location tracking, let alone who actually volunteered for it?

gruez
0 replies
6h1m

How many people even know that their car connects to cell towers, which allows for location tracking, let alone who actually volunteered for it?

The bigger problem is that cars are required by law to have unique identifiers prominently displayed (ie. license plates), so you had very little expectation of privacy to begin with. Even if your car wasn't connecting to cell towers, a network of license plate readers can figure out your location, and it's unclear why consent would be needed in that case.

cheschire
0 replies
7h37m

They accepted the EULA, so they know! /s

NegativeK
0 replies
7h11m

It's voluntary under the letter of the law, which is the context the parent post is using.

I think we both agree that the law needs to change.

willcipriano
3 replies
9h28m

The FBI is law enforcement so they cannot touch or view any of that data without a warrant else they could invalid all manners of data collection in many open cases.

https://en.m.wikipedia.org/wiki/Parallel_construction

austin-cheney
2 replies
9h21m

Good faith discovery requires that the receiving party was ignorant of the malicious behavior of the collecting party, thus suggesting the receiving party formed a warrant in good faith. A good defense attorney would get that tossed. The primary legal theory to bypass an improper collection is inevitable discovery which does not apply here.

willcipriano
1 replies
9h18m

The Snowden leaks came out on 2013, it has been known since then that data collected in this manner is used against US citizens in the manner I described in the above comment despite your assertions to the contrary.

austin-cheney
0 replies
9h6m

It’s time for a check on reading.

* Your prior comment never described any malicious depth of data collection.

* I never said anything to the contrary.

* Data collected upon individuals is not the same as data collected against individuals as the later provides intent.

snarkyturtle
0 replies
9h41m

What does "foreign" even mean in the internet? It's not like there are clear lines between plots of land. Everything is everywhere.

BurningFrog
0 replies
9h46m

That the NSA spies on Americans on a massive scale was revealed by Snowden in 2013.

There is no excuse to be surprised by it in 2024.

tastyfreeze
3 replies
6h55m

Making selling personal information illegal solves this problem. If there is no profit motive to collecting the data most companies will just not collect it.

pphysch
2 replies
6h14m

Trading illegal drugs is illegal, but entire black markets still exist for that purpose. Monitoring illegal transactions that have no physical footprint (unlike drugs) is very difficult.

tastyfreeze
1 replies
5h20m

If it is illegal to sell then ostensibly the government cannot legally purchase it.

pphysch
0 replies
3h5m

DoD black budget.

Some highly classified CIA/NSA project needs $10M for data collection, and no one bats an eye.

Snowden revealed that CIA spent $10Bs on "data collection" per year.

lettergram
3 replies
10h3m

Hasn’t that been pretty open since Snowden like 10 years ago?

Also, if anyone ever wonders how insidious the government is here’s food for thought — why does the US have such a crazy tax code? Quite literally all your life’s details give you small breaks on taxes - who you donated to, when you donated, why you donated. What property you own, what you did with it, new car? Is it an EV? Does it have power steering? Etc.

It would be far far easier to pass a flat tax or remove most breaks. Interesting enough, they want to track all transactions now to increase tax revenue

https://www.npr.org/2021/10/25/1048485043/irs-banks-taxes-fi...

https://www.cnbc.com/select/irs-600-reporting-rule-delayed/

But again, you don’t keep some of these $50 savings on taxes, then monitor all transactions. Unless it’s for something else

rayiner
2 replies
9h41m

Because the US tries to micromanage people’s behavior through the tax code. E.g. it offers EV credits because they want you to buy an EV instead of a gas car.

xyzzyz
0 replies
28m

I mean, I get why they would not understand it when the government micromanages companies by targeted tax breaks (called “tax loopholes”): they just hate companies and markets, and so they blame them for doing the exact thing the government wants them to do. But how can you not understand that the purpose of EV tax credits is to make people buy more EVs? That’s the whole point!

HumblyTossed
0 replies
8h48m

This. A lot of people don't understand this, but taxes shape behaviors.

flandish
3 replies
9h30m

What I don’t understand is how they tie data to a specific human in meatspace. Like my car - I own it but if you drive it, you get the speeding ticket.

But with data - sure this post is from a meatspace device registered in my name / but does not indicate I am the actual meatspace person using it.

hn_acker
1 replies
6h15m

Consider public IP addresses. Geolocation can link an IP address to a region as imprecise to a country to a more precise region such as a city. Combining rough location to a few other data points can greatly narrow down meatspace candidates for a particular account [1]:

According to one landmark study, these three characteristics are enough to uniquely identify 87% of the U.S. population. A different study showed that 63% of the U.S. population can be uniquely identified from these three facts.

If you have a significant online presence, your gender or age might be revealed by the way other users address you on some website. If a website happens to collect gender or birthday, then the website might share/sell the info to data brokers.

If police manage to narrow down the location of a potentially incriminating online action to a household, then the police could physically show up with a warrant and ask about who was using which computer in the house at that time.

[1] https://www.eff.org/deeplinks/2023/11/debunking-myth-anonymo...

flandish
0 replies
1h23m

Oh for sure. I don’t disagree - it’s just so.. easily “faked” too. Nothing is anon but also nothing short of me showing a cop looking over my shoulder is proof positive.

dogman144
0 replies
5h47m

Correlation across multiple signals, described here

https://restoreprivacy[.]com/rtb-data-leveraged-for-user-sur...

zoklet-enjoyer
2 replies
7h34m

1. What can the average person do to avoid having their personal data collected and sold?

2. How would one go about creating fake data that gets collected and sold?

eszed
1 replies
7h4m

1) Nothing.

2) This is a wonderful "Hacker-ish" approach to the problem: Pollute the Database! My fear is that in the real (ie non tech-hacker) world, whatever false data my dbPollution script put into the table dedicated to me would be used to target me, and that the argument "No, I didn't make [suspicious searches 1, 2, and 3] - this tool designed to make Law Enforcement's job harder did!" would not be a winning argument with a) Judges, and b) a jury of my normie "peers".

In theory I love it; in practice, it scares the shit out of me.

zoklet-enjoyer
0 replies
6h40m

I'm thinking there needs to be more tools like this https://www.bleepingcomputer.com/news/google/google-bans-adn...

Maybe it would be easy to sort through, but maybe not

deadbabe
2 replies
7h44m

Can we buy our own data from a data broker?

gorbachev
0 replies
7h33m

I think I'd rather buy data about data brokers' executives.

NegativeK
0 replies
7h9m

Have a business address, get visited by a data broker rep to prove that you're actually a business, and then pay something like $10/person.

Pentest firms do this to show their clients the concerns around data brokers.

RcouF1uZ4gsC
2 replies
9h51m

I think it would actually be a dereliction of duty if they did not buy the data.

If the data is available for purchase, they should buy and analyze it, if for no other reason than to know what everyone else knows.

Making the NSA intentionally blind to available data, seems like a bad thing.

ikjasdlk2234
0 replies
8h34m

I mostly agree. If I were them, this acquisition would be to augment building a baseline of traffic and patterns of life so they can better identify anomalies in the future.

NegativeK
0 replies
7h8m

It seems like a dereliction of duty for the NSA not to go to Congress and scream about needing to close this gaping flaw in the security of our nation.

miga
1 replies
10h10m

While upsetting civil rights, one cannot leave commercial data brokers unmonitored by agencies.

If only because they should be able estimate risk of and prevent criminal activity on home soil.

lettergram
0 replies
10h1m

one cannot leave commercial data brokers unmonitored by agencies

That’s a feature haha. The largest lobbies are banks and organizations using those data brokers. The government leaves them alone, so they too can use them. It’s a way around laws.

kingwill101
1 replies
8h23m

The irony here is that it's not been done by China or Russia. Why does it seem there's much less outrage if any when it's been done my local agencies?

__MatrixMan__
0 replies
7h30m

Because your tax dollars do not pay for the Chinese surveillance apparatus. Of course they're spying on you, that's their job.

Our country is ostensibly different than theirs precisely because we don't treat our citizens like enemies... as much.

jensensbutton
1 replies
9h45m

I cannot imagine being upset over this instead of the fact that data brokers can sell all this info in the first place.

uncletammy
0 replies
8h26m

I cannot imagine not being furious about both, simultaneously.

That being said, one of these is the culmination of tens of thousands of tiny consent violations made by hundreds or thousands of immoral, largely anonymous villians.

The other is one enormous and brazen violation of the constitution, made by a government organization which is funded by citizens to protect and serve them.

Both violations warrant the strictest repercussions.

skywhopper
0 replies
7h37m

Not surprised in the least, and yet I probably trust the NSA with the data more than literally any other customer of those data brokers. Not that I trust the NSA all that much.

onionisafruit
0 replies
8h56m

The article says this about the NSA:

It’s completely capable of engaging in domestic surveillance. And, indeed, it often does! So why would it need to purchase something it can obtain (more legitimately[?]) from its own dragnets and risk having part of its collection techniques exposed?

I don’t think the NSA needs to worry about adversaries learning the technique of exchanging money for information. Hacking the data brokers would cause more potential exposure of proprietary techniques.

nashashmi
0 replies
7h4m

This is what Facebook was also doing. They were buying data from any website they could. (They made data buying a profitable thing because they knew they could use that for ad serving.)

If the US govt, if intelligence agencies are doing the same, are we calling this "illegal" or wrong? If so, why? If the US govt were to be doing this with a healthy dose of govt reach, then it would be a violation of law. But they are buying what is already available.

mcny
0 replies
5h50m

The question we should be asking is with what money and on whose authority? Defund the NSA.

mass_and_energy
0 replies
6h21m

This is why Clearview AI and things like it are such a major threat to our privacy and security.

mark_l_watson
0 replies
7h6m

I wish in the US we had some form of privacy protection as in the EU. What the EU has is not perfect, but I wish we had it.

My understanding is that one man, Senator Chuck Schumer, blocks any meaningful privacy legislation in his committee. A one man privacy wrecking ball. I read somewhere that his two daughters have high paying jobs at, I think, Meta and Microsoft.

EDIT: my point is that if we had better privacy, then corporations would have less information to sell.

joloooo
0 replies
6h5m

Hasn't this been accepted with things like the Five Eyes alliance? https://en.wikipedia.org/wiki/Five_Eyes

dhx
0 replies
7h42m

"For example, such information is critical to protecting the US Defense Industrial Base" is not an overly convincing argument for purchasing "NetFlow"[1].

The US State department Exchange Online hack is an example of where "NetFlow" being purchased could be more interesting as an example. IP addresses such as those registered in Russia and to OVH data centres logging into State Department executive mailboxes at 3:00AM in US time zones should be laughably easy to detect.[4] Rented US virtual servers and AWS/Azure/GCP servers outside federal government availability zones would also be trivial to detect as suspicious source locations. The question that purchased "NetFlow" would help answer is what is connecting to those suspicious IP addresses, what is connected to those, what else do the chain of IP addresses found communicate with, etc.[5]

- Worst case there was no one was watching that attack as it occurred over ~4 months through use of "NetFlow" that may have been available and useful to use.

- Controversial case is someone was watching (possibly including attacker's use, if any, of US servers) and decided that it was better to keep watching and following the attackers than to immediately prevent a few State Department emails being leaked.

- Best case (not implemented) would seemingly be to fix terribly configured government systems so they can only be accessed from trusted locations and not random rented virtual server IPs, and "NetFlow" analysis is then probably not required. Security features such as "We've noticed your account is accessing this system from a new ISP--confirm this is really you?" aren't new.

[1] https://en.wikipedia.org/wiki/NetFlow

[2] https://en.wikipedia.org/wiki/DShield

[3] https://web.archive.org/web/20010205010100/http://dshield.or...

[4] https://www.microsoft.com/en-us/security/blog/2023/07/14/ana...

[5] https://blog.torproject.org/traffic-correlation-using-netflo...

chiefalchemist
0 replies
5h35m

Why is this a surprise? If the NSA et al is willing to break the law or at least bend it (a la Snowden revelations) why wouldn't they do something that is well within the law?

Are we really still this naive?

bemusedthrow75
0 replies
8h17m

HN should maybe try engaging with this with the same urgency and focussed outrage as they would if they were told the perfidious, unreconstructed Brits were doing it.

Something something US citizens something something unaccountable governments something something secretly breaking laws.

WhackyIdeas
0 replies
7h22m

What are Apple and Google doing to protect their Android and iOS devices from these data brokers? Or are they just allowing and making it easier for them? Why give apps the power to do these things, why not give the power to the person who bought with their hard earned money these devices - why not let them choose whether to allow an app to grab all the data they can?

SEJeff
0 replies
7h58m

This is not new. As an example, the US Department of Homeland Security has been known to use Web of Science to help them identify foreign born researchers working in the US tied to their home country militaries.

0xbadcafebee
0 replies
6h17m

This isn't a surprise, is it? It's not illegal, and this is the NSA we're talking about. The people who hacked domestic corporations for chuckles. If it's not illegal, and it's surveillance related, they're doing it.

Wyden's demand that companies stop selling our data "without consent" is political bullshit. It just means the companies have to stuff a "you consent to X" in their ToS. Which nobody reads, so nobody will push back on. Business as usual.