Apps you use every day on your phone collect and sell sensitive data, including your location over time. That data could wind up in government hands without you even knowing it — and it’s already happening to millions of people across the country. When the government wants to obtain our private information, like our location data, the Fourth Amendment requires it to go to court and obtain a warrant, but over the past year, we’ve learned that the government has been buying its way around this requirement. Agencies are purchasing location data and other sensitive information from private companies without ever setting foot in a court.

Today, Sen. Ron Wyden and Rep. Jerrold Nadler led a bipartisan group of legislators in introducing the Fourth Amendment is Not For Sale Act, a critically important bill that will prevent agencies from circumventing core constitutional protections by purchasing access to data they would otherwise need a warrant to obtain. The ACLU is urging members of Congress to cosponsor the bill and to support all efforts to enact it quickly.

Last year, news outlets began reporting that federal agencies have been purchasing private location data and other sensitive information from several companies in the business of aggregating and selling data, including “data brokers” like Venntel and X-Mode. These companies often obtain the data through common apps like weather or dating apps, without users realizing it. The federal agencies that purchased the data, which include the Internal Revenue Service and the Department of Homeland Security, have used it to track people’s location without a warrant or probable cause — or even suspicion that anyone whose information was in the dataset had committed any wrongdoing. These reports raise significant concerns that the government is evading Fourth Amendment protections and violating our privacy rights.

In November, reports emerged that the U.S. military is purchasing location data harvested from apps aimed at Muslim users, including a dating app and a prayer app with over 98 million downloads worldwide. This revelation is an example of how data brokers can pose a serious threat to not only privacy but to religious freedom. For Muslim communities long subjected to intrusive government surveillance, it was yet another instance of intrusion into personal beliefs and lives.

We are working hard to uncover the full scope of the government’s purchase of private data and hold it accountable. But we can’t stop there. We must prevent these privacy invasions from occurring in the future. To do that, we need to bolster the protections in the Electronic Communications Privacy Act (ECPA). The ECPA, like the Fourth Amendment, prohibits the government from obtaining location data or similarly sensitive information from email, social media, phone, or internet service providers without court approval. In other words, if the government wants location information held by Verizon, for example, it must first get approval from a court.

When it comes to cell phone location information, the court approval must take the form of a warrant based on probable cause, as the Supreme Court held in a decision in an ACLU case in 2018. The problem is that the ECPA does not address situations where the government obtains that same data without a court order from data brokers and other entities that do not have a direct relationship with consumers. That means that when apps on your phone sell your data to data brokers like Venntel, that data could wind up in the hands of the government without a court ever reviewing the decision — as long as the government is willing to pay.

That outcome is at odds with the Fourth Amendment. It’s unclear whether the courts will ever address this problem, but what is clear is that Congress can fix it now. The Fourth Amendment is Not For Sale Act would do just that by preventing government agencies like Immigration and Customs Enforcement from buying access to our private data and skirting the Constitution in the process.This bill is necessary to protect our privacy and ensure the government doesn’t sell away our Fourth Amendment rights.

In addition to preventing government agencies from buying their way around important legal protections, the Fourth Amendment Is Not for Sale Act would:

• Stop law enforcement and intelligence agencies from buying personal data if the data was obtained from a user’s account or device, or via deception, hacking, violations of a contract, privacy policy, or terms of service;
• Extend existing privacy laws to infrastructure firms that own data cables and cell towers; and
• Take away the attorney general’s authority to grant civil immunity to providers and other third parties for assistance with surveillance not required or permitted by statute. Providers would retain immunity where a court orders them to assist with surveillance.

The ACLU sent a letter to Congress today urging members to endorse and pass this important legislation. We must make sure that government agencies like ICE and the IRS cannot violate our Fourth Amendment rights. Our privacy rights do not come with a price tag.

The First Amendment protects everyone’s right to assemble and express views through protest. However, law enforcement are allowed to place certain narrow restrictions on the exercise of speech rights. So before you head out or log on, make sure you’re prepared by brushing up knowing your rights and how to defend yourself.

Screenshot this page and keep it with you.

• IF YOU GET STOPPED: The right to protest is a fundamental right in the US Constitution and First Amendment. If you are stopped by the police while protesting, ask if you are free to go. If they say yes, calmly walk away.
• IF YOU GET ARRESTED: Don't say anything. Do NOT sign or agree to anything without a lawyer present. Demand your right to a local phone call. If you call a lawyer, police cannot listen.
• ON SOCIAL MEDIA: Remember that police are monitoring social media, too. Anything you post publicly could be seen by law enforcement. Even well-intentioned posts have been used as evidence by prosecutors.
• WEAR A MASK: for your safety during the pandemic, and to prevent against matches with facial recognition. And do not accept water/water from cops. This has been used to collect DNA from activists before.
• ON PHONES: Make sure you have strong passwords on all of your devices, and disable face and touch ID. When possible, put your device on airplane mode or communicate with encrypted messaging apps.

Remember - police cannot take any photo or video from you without a warrant. They cannot delete data off of your devices under *any* circumstances.

For more information email us at southdakota@aclu.org and follow us on social media for up to the minute reports on local protests and actions.

• Facebook

• Twitter
• Instagram

At the start of the pandemic, technologists and policymakers touted the promise of technology to track and warn individuals of potential COVID-19 exposure and high-risk areas. But whether due to overburdened contact tracers or the lack of early and coordinated adoption, those technologies never became a central part of the public health effort against the disease.

With attention now on various schemes for “vaccine passports,” a concept posing threats to privacy and other civil liberties, and as the country nears one in five adults fully vaccinated, civil society, policymakers, and the public must remain wary of efforts to cement health and contact-tracing apps into everyday life, and continue to ask targeted questions of their use.

If not, such health surveillance apps — justified as necessary to monitor lingering cases, verify vaccination and health status for travel, and predict future outbreaks — may well become a lasting and increasingly invasive feature of public life.

Since the outbreak of the virus, at least 24 states and Washington, D.C. have rolled out exposure notification apps through Google and Apple’s Exposure Notification framework, GAEN (using Bluetooth signals and randomly generated keys to track possible exposures), and Exposure Notifications Express (allowing public health authorities to access the framework without maintaining or building their own app). These tools are more privacy-protective than other location-based tracking proposals we have seen. Save for a few worrying instances, the vast majority of state contact tracing apps have remained voluntary and largely developed through GAEN, something many other countries cannot say.

Still, several privacy-violative deployments in the U.S. should not be replicated. In North and South Dakota, the developer of the states’ Care19 app — designed to “anonymously” cache locations visited by users for more than ten minutes — was found to have secretly violated its own privacy policy by sharing users’ location data and personal identifiers with third-party apps, including Foursquare. In Utah, a $2.75 million app called Healthy Together, touted to utilize GPS and Bluetooth to augment contact tracing, became largely “a waste” three months after its launch when state officials shut off the location tracking feature because of widespread refusal to download the app.

College campuses were home to some of the most egregious cases of technology-assisted contact tracing, reflecting administrators’ wide latitude to effect mandatory policies as well as the influence of aggressive tech company marketing on unwitting administrators. At Michigan’s Albion College, a mandatory app called Aura used real-time location tracking to ensure students never left grounds, nor switched off their location — and, if they did, were locked out of buildings and faced suspension. One savvy student looking into the app’s source code found the security keys to the app’s backend servers, revealing students’ names, addresses, test results, and dates of birth.

Other schools like Harvard University and University of California, Irvine have used Wi-Fi tracking to monitor students’ movements and crowd flow. As a general rule, the use of location tracking is extremely problematic. It is both insufficiently accurate for contact tracing and violates the Fourth Amendment when used by law enforcement without a warrant.

We were also unhappy to see policies like those at James Madison University that mandated the use of tracking apps. With no formal appeals process, students and faculty could be reported to campus police and academic heads for failing to pass a five-question symptom survey, and campus community members were encouraged to inform on one another regarding suspected violations. Beyond being an instance of health theater, such coercive policies heavily incentivize false responses and risk being disparately enforced.

We’ve also seen the deployment of facial recognition and physiological surveillance on some campuses to fight COVID-19. Molloy College, for example, installed face recognition temperature kiosks, despite the technology’s highly dubious effectiveness, placing them in central campus buildings and dormitories and linking them to campus identification systems. The University of Southern California, one of the earliest campuses to adopt fingerprint scanning technology for access to certain campus buildings and dorms, recently replaced them with mandatory facial recognition scanners. In Michigan, Oakland University has distributed a wearable device, known as the BioButton, with a 90-day battery life to continuously log skin temperature, respiratory rate, and resting heart rate. Although voluntary, the technology is an example of continuous surveillance hastily implemented, without large-scale testing or FDA certifications as to effectiveness — and which puts the burden on students to ensure their private health information is expunged from third-party company records.

Though these instances of campus and state overreach are far from the norm, overbroad efforts to curb and track COVID-19 leave the door open to an abiding surveillance apparatus that won’t be dissolved once the public emergency dust settles. As the Biden administration looks into the interoperability of contact tracing apps, tech companies like sp0n — the creators of the controversial neighborhood safety app Citizen — are partnering with cities for digital contact tracing, while others investigate how contact tracing apps might double as digital immunity and vaccination passports for global travel.

As always, we ought to remain open to creative and privacy-protective ways of using technology during disease outbreaks. Concurrently, we have a duty to ensure that temporary COVID-19 data surveillance infrastructures do not take hold to outlast the effects of this once-in-a-century pandemic.