[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]
DIGITAL DRAGNETS:
EXAMINING THE GOVERNMENT'S ACCESS TO
YOUR PERSONAL DATA
=======================================================================
HEARING
BEFORE THE
COMMITTEE ON THE JUDICIARY
U.S. HOUSE OF REPRESENTATIVES
ONE HUNDRED SEVENTEENTH CONGRESS
SECOND SESSION
__________
TUESDAY, JULY 19, 2022
__________
Serial No. 117-74
__________
Printed for the use of the Committee on the Judiciary
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]
Available via: http://judiciary.house.gov
__________
U.S. GOVERNMENT PUBLISHING OFFICE
48-809 WASHINGTON : 2022
-----------------------------------------------------------------------------------
COMMITTEE ON THE JUDICIARY
JERROLD NADLER, New York, Chair
MADELEINE DEAN, Pennsylvania, Vice-Chair
ZOE LOFGREN, California JIM JORDAN, Ohio, Ranking Member
SHEILA JACKSON LEE, Texas STEVE CHABOT, Ohio
STEVE COHEN, Tennessee LOUIE GOHMERT, Texas
HENRY C. ``HANK'' JOHNSON, Jr., DARRELL ISSA, California
Georgia KEN BUCK, Colorado
THEODORE E. DEUTCH, Florida MATT GAETZ, Florida
KAREN BASS, California MIKE JOHNSON, Louisiana
HAKEEM S. JEFFRIES, New York ANDY BIGGS, Arizona
DAVID N. CICILLINE, Rhode Island TOM McCLINTOCK, California
ERIC SWALWELL, California W. GREG STEUBE, Florida
TED LIEU, California TOM TIFFANY, Wisconsin
JAMIE RASKIN, Maryland THOMAS MASSIE, Kentucky
PRAMILA JAYAPAL, Washington CHIP ROY, Texas
VAL BUTLER DEMINGS, Florida DAN BISHOP, North Carolina
J. LUIS CORREA, California MICHELLE FISCHBACH, Minnesota
MARY GAY SCANLON, Pennsylvania VICTORIA SPARTZ, Indiana
SYLVIA R. GARCIA, Texas SCOTT FITZGERALD, Wisconsin
JOE NEGUSE, Colorado CLIFF BENTZ, Oregon
LUCY McBATH, Georgia BURGESS OWENS, Utah
GREG STANTON, Arizona
VERONICA ESCOBAR, Texas
MONDAIRE JONES, New York
DEBORAH ROSS, North Carolina
CORI BUSH, Missouri
AMY RUTKIN, Majority Staff Director and Chief of Staff
CHRISTOPHER HIXON, Minority Staff Director
------
C O N T E N T S
----------
Tuesday, July 19, 2022
Page
OPENING STATEMENTS
The Honorable Jerrold Nadler, Chair of the Committee on the
Judiciary from the State of New York........................... 1
The Honorable Jim Jordan, Ranking Member of the Committee on the
Judiciary from the State of Ohio............................... 3
WITNESSES
The Honorable Bob Goodlatte, Senior Policy Advisor, Project for
Privacy & Surveillance Accountability; Former Chair, House
Judiciary Committee
Oral Testimony................................................. 6
Prepared Testimony............................................. 8
Sarah Lamdan, Professor of Law, The City University of New York
School of Law
Oral Testimony................................................. 15
Prepared Testimony............................................. 17
Rebecca Wexler, Faculty Co-Director, Berkeley Center for Law &
Technology and Assistant Professor of Law, University of
California, Berkeley, School of Law
Oral Testimony................................................. 27
Prepared Testimony............................................. 29
Brett Tolman, Executive Director, Right on Crime
Oral Testimony................................................. 32
Prepared Testimony............................................. 34
Elizabeth Goitein, Senior Director, Liberty & National Security
Program, Brennan Center for Justice
Oral Testimony................................................. 38
Prepared Testimony............................................. 40
LETTERS, STATEMENTS, ETC. SUBMITTED FOR THE HEARING
Statement from Caitlin T. Chin, Fellow, Strategic Technologies
Program, Center for Strategic & International Studies,
submitted by the Honorable Jerrold Nadler, Chair of the
Committee on the Judiciary from the State of New York, for the
record......................................................... 58
Materials submitted by the Honorable Andy Biggs, a Member of the
Committee on the Judiciary from the State of Arizona, for the
record
An article entitled, ``Defense Firm Said U.S. Spies Backed Its
Bid for Pegasus Spyware Maker,'' The New York Times.......... 70
An article entitled, ``F.B.I. Secretly Bought Israeli Spyware
and Explored Hacking U.S. Phones,'' The New York Times....... 74
An article entitled, ``F.B.I. Told Israel It Wanted Pegasus
Hacking Tool for Investigations,'' The New York Times........ 77
An article entitled, ``The New Spy Wars,'' The New York Times.. 80
Materials submitted by the Honorable Zoe Lofgren, a Member of the
Committee on the Judiciary from the State of California, for
the record
An article entitled, ``New Records Detail DHS Purchase and Use
of Vast Quantities of Cell Phone Location Data,'' American
Civil Liberties Union........................................ 84
An article entitled, ``ICE Searched LexisNexis Database Over 1
Million Times In Just Seven Months,'' The Intercept.......... 88
A report entitled, ``American Dragnet: Data-Driven Deportation
in the 21st Century,'' Georgetown Law Center on Privacy &
Technology................................................... 95
Materials submitted by the Honorable Matt Gaetz, a Member of the
Committee on the Judiciary from the State of Florida, for the
record
An article entitled, ``Disney takes over Hulu, a company with
serious data collection issues,'' Kim Komando................ 214
An article entitled, ``Disneyland is tracking guests and
generating big profits doing it,'' Los Angeles Times......... 219
An article entitled, ``Disney Facing Lawsuit Over Collecting
and Selling Children's Personal Information,'' Werner Travel
Media........................................................ 223
An article entitled, ``Disney Uses Big Data, IoT And Machine
Learning To Boost Customer Experience,'' Forbes.............. 225
Materials submitted by the Honorable Sylvia Garcia, a Member of
the Committee on the Judiciary from the State of Texas, for the
record
An article entitled, ``Homeland Security records show
`shocking' use of phone data, ACLU says,'' Politico.......... 232
An article entitled, ``ICE investigators used a private utility
database covering millions to pursue immigration
violations,'' The Washington Post............................ 241
An article entitled, ``Federal Agencies Use Cellphone Location
Data for Immigration Enforcement,'' The Wall Street Journal.. 244
APPENDIX
A letter from the Disinfo Defense League, July 19, 2022,
submitted by the Honorable Jerrold Nadler, Chair of the
Committee on the Judiciary from the State of New York, for the
record......................................................... 280
QUESTIONS AND RESPONSES FOR THE RECORD
Questions for Elizabeth Goitein and the Honorable Bob Goodlatte,
submitted by the Honorable Ted Lieu, a Member of the Committee
on the Judiciary from the State of California, for the record.. 286
Responses from Elizabeth Goitein, submitted by the Honorable Ted
Lieu, a Member of the Committee on the Judiciary from the State
of California, for the record.................................. 287
Responses from the Honorable Bob Goodlatte, submitted by the
Honorable Ted Lieu, a Member of the Committee on the Judiciary
from the State of California, for the record................... 291
DIGITAL DRAGNETS:
EXAMINING THE GOVERNMENT'S ACCESS TO YOUR PERSONAL DATA
----------
Tuesday, July 19, 2022
U.S. House of Representatives
Committee on the Judiciary
Washington, DC
The Committee met, pursuant to call, at 10:03 a.m., in Room
2141, Rayburn House Office Building, Hon. Jerrold Nadler [Chair
of the Committee] presiding.
Members present: Representatives Nadler, Lofgren, Jackson
Lee, Johnson of Georgia, Cicilline, Swalwell, Raskin, Jayapal,
Scanlon, Garcia, McBath, Stanton, Dean, Escobar, Ross, Bush,
Jordan, Chabot, Issa, Buck, Gaetz, Biggs, McClintock, Steube,
Tiffany, Massie, Bishop, Fitzgerald, Bentz, and Owens.
Staff present: Aaron Hiller, Chief Counsel and Deputy Staff
Director; John Doty, Senior Advisor and Deputy Staff Director;
Arya Hariharan, Chief Oversight Counsel; David Greengrass,
Senior Counsel; Moh Sharma, Director of Member Services and
Outreach & Policy Advisor; Jacqui Kappler, Oversight Counsel;
Roma Venkateswaran, Professional Staff Member/Legislative Aide;
Cierra Fontenot, Chief Clerk; Gabriel Barnett, Professional
Staff Member; Casey Lee, Staff Assistant; Merrick Nelson,
Digital Director; Elliott Walden, Minority Counsel; Michael
Koren, Minority Senior Professional Staff Member; Andrea
Woodard, Minority Professional Staff Member; and Kiley
Bidelman, Minority Clerk.
Chair Nadler. The House Committee on the Judiciary will
come to order. Without objection, the Chair is authorized to
declare recesses of the Committee at any time. We welcome
everyone to this morning's hearing on Digital Dragnets:
Examining the Government's Access to Your Personal Data.
Before we begin, I would like to remind Members that we
have established an email address and distribution list
dedicated to circulating exhibits, motions, or other written
materials that Members might want to offer as part of our
hearing today. If you would like to submit materials, please
send them to the email address that has been previously
distributed to your offices, and we will circulate the
materials to Members and staff as quickly as we can.
I will now recognize myself for an opening statement after
observing that the proceeding was probably not known when Bob
Goodlatte was Chair of this Committee before we went into all
this stuff.
Data is often called the oil of the 21st century, and the
rush to participate in the market for data has made the
tracking of our personal information an inescapable part of
daily life. From web hosts and cell phones to service providers
and mobile applications, companies that provide online services
are part of an ever-growing industry around the collection and
commodification of our data.
Private companies now compete with each other to manage
these enormous troves of information. This trend alone presents
significant privacy concerns. It is even more troubling that
law enforcement and intelligence agencies at all levels of
government are purchasing this data for their own use, often
sidestepping protections designed to limit the direct
acquisition of the exact same information.
Simply put, law enforcement and intelligence agencies are
now able to obtain vast quantities of information that would
otherwise be unavailable to them without a warrant. Your
physical location, personal habits, internet searches, likes
and dislikes, and politics, to name just a few private
concerns, are all available and accessible to the government.
The easy availability of personal data to the government
poses significant risks to minorities, to those with unpopular
views, to our system of justice, and ultimately, to the
stability of our democracy itself. Our founders understood what
a country without protection from unwarranted search and
seizure looks like. They knew that, to protect the citizens of
the fledgling United States of America from the government it
was creating, it was essential to provide basic guidelines for
law enforcement to follow, which they did in the Fourth
Amendment.
Recent advances have allowed the technology of data
collection to get ahead of the laws protecting our privacy.
This overreach is clear from recent scandals that include the
pervasive use of geolocation data to track peaceful protesters,
the sweeping surveillance of thousands of devices to identify
just two suspects, and the purchase of data from prayer apps
and dating apps.
What links these incidents and others together is a
disturbing trend, the increasing reliance of law enforcement on
massive data sets with little consideration for due process. It
is, plain and simple, the warrantless surveillance of everyday
Americans. It may have dire consequences.
For example, women across the country who wonder what
America will look like in the wake of the Dobbs decision are at
particular risk for this data surveillance. In States where
abortion is now a crime, law enforcement can use available data
to keep track of who searches online for the words miscarriage
or abortion. They can purchase geolocation data to monitor
which phones travel out of State to go to a medical provider.
They can access the data from tracking apps or purchase
integrated data profiles to see or even predict if and when a
woman may be pregnant or may be likely to seek an abortion.
The more we learn the more we realize that there are few
measures in place to shield our digital footprints from the
hands of government agencies. Every person sitting in this room
likely has a cell phone with them today that is tracking
location, use, and communications to and from the device.
Private companies will sweep up that information, package it,
and sell it for uses ranging from the most benign microtargeted
advertisement to the most invasive digital profile.
Law enforcement and intelligence agencies clearly have an
interest in those commercial products, especially where due
process concerns would make it difficult for those agencies to
acquire the data directly.
Although some companies claim to sell only anonymized data
or never to sell to the government, experts agree that both
guarantees are empty promises. When there is no constraint on
the future use or sale of individual data, companies have no
control over reidentification of that data and no control over
where it goes next.
Although we do not know the full scope of the Federal
government's access to and use of these commercial products,
some government contracts give us a sense of scale. For
example, ICE, the DEA, and the FBI each contract with a data
broker that sources location data from over 80,000 apps. The
products are so precise that officers can track individuals
within specific homes and businesses, again tracking your
location over time, within inches, without any due process
whatsoever.
The problem is not limited to the purchase of data. So-
called reverse search warrants allow law enforcement agencies
to make broad requests for a company's data, such as every
person who searched for a specific term or every person who is
in a particular place over some period of time, totally
upending traditional notions of a narrowly tailored warrant
based on probable cause.
The end result is that just by going about your daily life
your data may be swept up in and make you the subject of a
criminal investigation. Investigations this broad and baseless
present significant risk of mistaken identity and have led to
erroneous arrests in many cases.
If law enforcement and intelligence agencies remain
unrestrained in their ability to purchase this data, our right
to privacy will be, at best, illusory. I look forward to
hearing from our distinguished Witnesses about how pervasive
this problem is and how we can best rebalance the law to
protect our liberty.
I now recognize the Ranking Member of the Judiciary
Committee, the gentleman from Ohio, Mr. Jordan, for his opening
statement.
Mr. Jordan. Thank you, Mr. Chair. I want to thank you for
having this hearing and for our Witnesses, all our Witnesses
who are here today. I look forward to their testimony.
Over the last year, we have seen how big government has
threatened almost every freedom Americans enjoy. I mean, just
stop and think about it for a second. The First Amendment
rights we enjoy, your right to practice your faith, your right
to assemble, right to petition the government, freedom of
press, freedom of speech, every single one has been attacked,
has been assaulted over the last year by government.
Until a few months ago there were still places in the
country where a full congregation couldn't meet on Sunday
morning, your right to assemble. I always use the example,
about a year and a half ago I spoke to the New Mexico
Republican Party in Amarillo, Texas, because they had to go to
Texas for the freedom to assemble and meet in the size group
that they wanted to meet.
The ability to petition your government, again, until a few
months ago, you couldn't even, American citizens couldn't even
go into their Capitol to talk to their Member of Congress to
petition them to redress their grievances because the Speaker
of the House wouldn't let them in.
We know what has happened with freedom of press and freedom
of speech. The government was trying to--they did for like
three weeks, then, thank goodness, they cancelled it. They
tried to form a Disinformation Governance Board, for goodness'
sake. So, First Amendment attacks we have seen.
We know about the Second Amendment attacks. There is going
to be one tomorrow in this Committee, a markup on a bill to
limit the Second Amendment rights law abiding Americans enjoy.
Of course, today the focus is on our Fourth Amendment
rights. Never before in our history has the government known
more about its citizens and had more sophisticated tools for
spying on us than right now. Not only does government have the
technological abilities to gather large amounts of information
about us, but the law is also in many ways outdated and on the
side of those doing the spying rather than on those being spied
on. This is wrong, and it is un-American.
The Foreign Intelligence Surveillance Act was originally
intended by Congress to reign in abuses from the intelligence
community in the '60s and '70s, spies that grew out of the
Senate Church Committee Investigation, which uncovered, among
other things, that the CIA was infiltrating political
organizations.
Over time what were supposed to be guardrails have turned
into loopholes for legitimizing a surveillance dragnet. Nowhere
was this more obvious than when the FBI, Director Comey and his
cronies, misused the FISA program to target a presidential
campaign. It took years for us to uncover the systematic abuses
that allowed Comey and the FBI to spy on an American President.
If the FBI can do it, and this is critical, if the FBI can do
it to a presidential campaign, they can do it to anyone, any
American citizen.
Still, FISA remains broken and in desperate need of serious
reform. It is our hope that Congress will be ready soon to move
serious legislation to stop these abuses and provide for more
transparency and accountability in the FISA process.
The problem is hardly limited to FISA. The mass adoption of
electronic devices that collect data on every aspect of our
lives has allowed new avenues for surveillance that require us
to rethink the law.
I want to thank former Chair Goodlatte for joining us
today. Among other things, Chair Goodlatte shepherded through
much needed reforms to the Electronic Communications Privacy
Act, or ECPA. That reform legislation was reported out of this
Committee and passed the House twice. Unfortunately, it did not
get through the Senate. It is high time that Congress reform
that law. This should be low-hanging fruit to protect
Americans' privacy.
That legislation is woefully outdated. It was signed into
law in 1986 before the modern internet existed. It has left
many loopholes for warrantless surveillance that are regularly
exploited by law enforcement.
Earlier this year this Committee sought to close one such
loophole when we passed legislation to put restrictions on gag
orders that prevent third parties from telling their customers
that their information is being solicited by the government.
We still have much work to do. This must include us taking
a hard look at government's warrantless access to commercially
available bulk data and its use of tools like Pegasus that
allow them to spy on encrypted mobile devices. It should also
include us considering restrictions on the government's use of
facial recognition technology within the United States to
target citizens.
I hope that we can work together, and we can begin the long
overdue process of putting common sense guardrails in place to
protect Americans' Fourth Amendment liberties. Mr. Chair, thank
you again for this hearing. I do look forward to the discussion
and the testimony from our Witnesses.
Chair Nadler. Thank you, Mr. Jordan. Without objection, all
other opening statements will be included in the record.
I will now introduce today's Witnesses.
Bob Goodlatte is Senior Policy Advisor for the Project for
Privacy and Surveillance Accountability and is also the former
Chair of the House Judiciary Committee, that is to say of this
Committee, as well as the former Chair of the House Agriculture
Committee. Chair Goodlatte served in the House with distinction
from 1993-2019. He received his B.A. from Bates College and his
J.D. from Washington and Lee University. It is our great
pleasure to welcome him back to this Committee.
Sarah Lamdan is a Professor of Law at the City University
of New York School of Law whose research focuses on information
law and policy. She is also a fellow at the Engelberg Center on
Innovation Law & Policy at NYU School of Law. Professor Lamdan
received her undergraduate and law degrees from the University
of Kansas and a master's degree from Emporia State University's
School of Library and Information Management.
Rebecca Wexler is Faculty Co-Director of the Berkeley
Center for Law and Technology and Assistant Professor of Law at
the University of California, Berkeley, School of Law. Prior to
attending law school, she made documentary films for national
broadcast television, museums, and educational distribution.
Professor Wexler received her B.A. from Harvard College, her
Master of Philosophy from Cambridge University, and her J.D.
from Yale Law School.
Brett Tolman serves as Executive Director of Right on
Crime. He is also the founder of the Tolman Group, focusing on
public policy and government reform. Prior to entering private
practice, he served as the United States Attorney for the
District of Utah. Previously, he also served as Chief Counsel
for Crime and Terrorism to the United States Senate Judiciary
Committee. Mr. Tolman received his undergraduate and law
degrees from Brigham Young University.
Elizabeth Goitein, and I hope I have that pronunciation
right, Elizabeth Goitein is Senior Director of the Liberty and
National Security Program at the Brennan Center for Justice.
Before coming to the Brennan Center, she served as counsel to
Senator Russ Feingold on the Senate Judiciary Committee and as
a trial attorney in the Federal Programs Branch of the Civil
Division of the Department of Justice. Previously, she clerked
for Judge Michael Daly Hawkins on the U.S. Court of Appeals for
the Ninth Circuit. She received her undergraduate and law
degrees from Yale University.
We welcome our distinguished Witnesses, and we thank them
for participating today. I will begin by swearing in our
Witnesses. I ask that our Witnesses in person please rise and
raise your right hand. I ask that our remote Witnesses please
turn on your audio and make sure I can see your face and raised
right hand while I administer the oath. Okay.
Do you swear or affirm under penalty of perjury that the
testimony you are about to give is true and correct to the best
of your knowledge, information, and belief so help you God? Let
the record show that the Witnesses have answered in the
affirmative. Thank you and please be seated.
Please note that each of your written statements will be
entered into the record in its entirety. Accordingly, I ask
that you summarize your testimony in five minutes. To help you
stay within that time, there is a timing light on your table.
When the light switches from green to yellow, you have one
minute to conclude your testimony. When the light turns red, it
signals your five minutes have expired. For our Witnesses
appearing virtually, there is a timer on your screen to help
you keep track of time.
Chair Goodlatte, you may begin.
STATEMENT OF THE HON. BOB GOODLATTE
Mr. Goodlatte. Chair Nadler, Ranking Member Jordan, I am
honored to be back before my colleagues today. I come in as the
Senior Policy Advisor for the Project for Privacy &
Surveillance Accountability, or PPSA, a non-partisan group that
advocates for our Fourth Amendment protections and government
surveillance reform. We work on a daily basis with about ten
other civil liberties organizations across the ideological
spectrum.
A giant loophole we never imagined has weakened those
protections. Government agencies are asserting they can flout
the Fourth Amendment's requirement for a probable cause warrant
by simply buying our personal data. Agencies ranging from the
Defense Intelligence Agency to the IRS to likely the FBI and
CIA as well are buying the personal data of millions of
Americans they would otherwise have to get a warrant to obtain.
Some of us are nonchalant about all the personal
information companies like Facebook compile on us. Others are
outraged at this corporate invasion of our privacy. I would
add, however, that the extraction of our personal data by the
government is far more ominous. No private party can break down
your door at dawn, take you out in handcuffs, and prosecute
you. No private party can fine you, enjoin you, restrain you,
tax you, and deprive you of liberty and, yes, even life. Only
the government can do that.
Our very country was born out of anger and fear of what a
government can do to people when it doesn't respect their
privacy. The offensiveness of seizures of Americans' personal
information by agents of the British Crown explains why the
framers of the Constitution explicitly required a warrant based
on probable cause.
Now, government lawyers are embellishing this work of the
framers by adding, ``unless we buy it.'' This practice defies
the Fourth Amendment. It also defies Supreme Court opinions
requiring warrants to access someone's location history from a
cell tower and forbidding warrantless intrusion into a cell
phone because it holds ``the privacies of life.''
A reasonable interpretation of these opinions should have
prompted government lawyers to tread lightly. Instead, like a
flippant teenager, government lawyers take these restrictions
as a sign that anything not expressly prohibited must be
permissible. Thus, Senator Ron Wyden reports that the Defense
Intelligence Agency informed his office it does not have to
adhere to the Constitution or the Supreme Court Carpenter
ruling when it buys data. That is outrageous.
Even more outrageous is how data purchasing operates in
practice. Just yesterday, the American Civil Liberties Union
released thousands of pages of data showing that Department of
Homeland Security agencies are paying millions of dollars to
data brokers, one of which claims to collect more than 15
billion, that is with a ``B,'' location points from over 250
million mobile devices every day.
The Department of Defense, for example, has used this
tactic to access data from a dating app, Muslim Mingle.
Imagine, this government agency managed to compromise the
Fourth Amendment and degrade the First Amendment right to free
exercise of religion in just one move.
In February, Senators Wyden and Heinrich revealed that the
CIA has engaged in bulk collection based not on a statutory
authority but on Executive Order 12333, entirely outside of any
judicial or statutory authority. This strongly suggests legal
acrobatics similar to DOD's are at play at the CIA.
Under current law, the government cannot obtain records
from companies like Facebook and Google without a court order.
Why should data brokers be treated any differently? The
obscurity of the loophole the government is exploiting
underscore how shaky its legal foundation is.
The solution is, I suggest, the Fourth Amendment Is Not for
Sale Act. This bill would close the loopholes in the law. It
would forbid government agencies from buying personal data it
would otherwise need a warrant or subpoena to obtain.
When the Fourth Amendment Is Not for Sale passes, U.S. law
enforcement and intelligence agencies will still have powerful
legal tools at their fingertips with which to follow leads that
can catch terrorists, spies, and dangerous criminals. They will
just have to follow the rules.
I thank Chair Nadler and Congresswoman Lofgren for their
leadership in introducing this legislation. I also thank
Ranking Member Jordan, who has expressed concern about the
impact of the surveillance State on Americans' fundamental
liberties and rights. Many Members on both sides of the aisle
on this Committee and in the Congress as a whole have spoken
out. Now, it is time to act.
The more answers you can compel from the government about
the scope and uses of purchased data the better we will be able
to devise rules to protect the American people from lawless
mass surveillance. Thank you.
[The statement of the Hon. Goodlatte follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Thank you, Chair Goodlatte.
Professor Lamdan, you are now recognized for five minutes.
STATEMENT OF SARAH LAMDAN
Ms. Lamdan. Chair Nadler, Ranking Member Jordan, and
distinguished Members of the Committee, I thank you for the
opportunity to speak here today about the government's use of
personal data.
Surveillance has always been a part of U.S. national
security and public safety regimes. Traditionally, policing and
intelligence work revolved around the compelled and targeted
surveillance, traffic stops, particularized warrants, and other
searches done on a person-by-person basis.
These compelled surveillance methods are being replaced by
voluntary surveillance method systems that are data driven,
like automated license plate readers and dragnet reverse
location and keyword warrants.
People call these datafied surveillance systems voluntary,
but most of us don't truly volunteer to be a part of them. We
may technically consent to driving on a public road lined with
cameras or clicking I agree to access an online service. These
choices to trade our data for access are illusory. We must make
them to participate in daily life.
Every move we make online, including through the apps on
our phones, connected home electronics, and wearable devices,
generates data that can be collected, shared, and sold. Even
when companies promise that they will anonymize our data, that
data can easily be reidentified. In some cases, the government
doesn't collect its own data or build its own data analytic
systems, excuse me, in most cases.
Several types of companies comprise our modern surveillance
infrastructure.
First, we have data analytics systems and products, so
those are algorithms, machine learning systems, and other forms
of artificial intelligence, that predict whether someone will
commit a crime or default on a loan, et cetera.
The second type of company is a designer data company, like
a facial recognition or a biometric data company or a
geospatial or geolocation data company that can pinpoint where
you are located.
The third type of companies are data brokers that provide
huge dossiers containing information like our addresses, our
work, and our credit histories.
Together, these companies have become de facto primary fact
finders in many law enforcement investigations. They have been
called big brother's little helpers because they turn policing
from a suspect-focused search into a constant, intrusive
surveillance system that surveils all of us.
Rather than focusing on particular suspects, data policing
tools are dragnets, sifting through all of our data. They
provide a 300-degree view of our lives, revealing where we go,
who we know, and what we do each day. The data companies'
services likely know more about you than your friends or family
do.
Even if you try to opt out of data collection, the
companies create shadow profiles about you based on the data
that your friends, family, and associates trail behind them
when they go online. The data in these companies' products
contain errors that are difficult, if not impossible, to
correct and the data analytics systems themselves are
notoriously inaccurate.
Without oversight and supervision, it is hard to figure out
exactly how the government uses data analytics products. This
obscurity flouts freedom of information laws. Legal loopholes
put the industry beyond the scope of due process protections
that are built into our laws and administrative procedures.
Some legal experts posit that the government agencies do their
work through these companies intentionally to buy their way
around due process requirements.
Without legal safeguards, there is no limit on what kinds
of surveillance products agencies use and how they use them.
Agencies don't monitor how employees use the products, so
employees use the systems to make questionable searches.
The government's partnerships with data companies are ripe
for legislative oversight. Laws should require that the public
be notified about how and why their data is being collected and
used. These notices should set specific purposes and timelines
for data programs. The programs should be audited regularly to
be sure that they are being implemented for their intended
purposes.
Programs that use personal data should be transparent and
provide for public comment. People should be able to consent to
the collection of their personal data and to see and correct
their data sets, even when those data sets are provided by a
third party. There should be processes to ensure that when the
government implements data programs it is using accurate data
and unbiased data analytics systems that properly serve their
assigned purposes.
As the government continues to work with data companies to
build its surveillance infrastructure, we must balance the need
for robust national security and public safety and the benefits
of quick and easy data services with the privacy and civil
rights of the American public. I look forward to answering your
questions.
[The statement of Ms. Lamdan follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Thank you, Professor Lamdan.
Professor Wexler, you are now recognized for five minutes.
STATEMENT OF REBECCA WEXLER
Ms. Wexler. Mr. Chair and Members of the Committee, my name
is Rebecca Wexler. I am an Assistant Professor of Law at the
University of California, Berkeley, School of Law. I am honored
to have been invited to testify today about how law enforcement
collection of data through private intermediaries can conceal
evidence of innocence by circumventing criminal defense
discovery rights.
Collecting data from private intermediaries rather than
seizing it directly not only allows law enforcement to collect
more information more easily, an underappreciated aspect of
this practice is that it also allows law enforcement to collect
less evidence of innocence. When law enforcement does not
possess exculpatory evidence, it can be much harder for the
defense to access it, risking wrongful convictions.
Let me give some examples. When law enforcement purchases
data from intermediaries or uses private biometric databases or
licenses surveillance software from private companies, the
officers can stay ignorant of flaws in the data. They don't
have to learn whether the data were acquired in violation of a
privacy statute or through breach of contract or through
unlawful hacking. They don't have to learn about errors in
quality control that could have corrupted the data or rendered
it unreliable or subject to tampering. They don't have to learn
about bugs or improper validation studies or racial and other
biases in the software used to acquire the data.
Indeed, private companies sometimes claim this type of
information is a trade secret. They refuse to disclose it even
to their own law enforcement customers, much less in response
to a subpoena. Yet, all that information could be exculpatory
evidence relevant to prove innocence and stop wrongful
convictions.
If law enforcement seizes data directly, they are much more
likely to know these flaws because they will collect the data
closer to its point of origin or they will build the database
for surveillance software directly. If they acquire data from
private intermediaries, they are much more likely not to know
because they can acquire the final data output without any
other information. When law enforcement is ignorant of flaws in
their data or in data collection methods, it is harder for
defendants to access that exculpatory evidence.
Here is why. If law enforcement is ignorant of exculpatory
evidence, defendants' constitutional Brady due process rights,
which as you know would otherwise require the prosecution to
disclose evidence of innocence, do not apply. Defendants'
statutory discovery rights to obtain exculpatory evidence from
the prosecution do not apply. If defendants exercise their
Sixth Amendment rights to call law enforcement officers to the
witness stand, cross examination will be futile.
Meanwhile, current evidence rules permit prosecution
witnesses to introduce data into evidence even if they are
ignorant about flaws in the data or the method of collecting
it. Nor is it easy for defendants to get information about such
flaws directly from a private company. In a catch-22,
defendants can't subpoena companies directly for exculpatory
evidence unless they already know the evidence exists and can
identify it with specificity. That is a task that is virtually
impossible for evidence you have not yet seen. Trying to get
criminal defense subpoenas enforced across State lines can be
prohibitively costly and time consuming.
Further, vendors of surveillance technologies sometimes say
that their products are for law enforcement customers only and
refuse to give or sell copies to criminal defense experts for
scrutiny and testing. Indeed, some companies even refuse
research licenses to independent scientists to scrutinize their
products, all the while claiming in court that those products
are subject to peer review.
In sum, it is much harder for criminal defense counsel to
access exculpatory evidence about flaws in data collected
through private intermediaries as opposed to data collected by
law enforcement directly.
To help fix this problem, Congress should consider ways to
protest defense counsels' access to exculpatory evidence, for
instance, eliminate the trade secret evidentiary privilege for
private entities that sell data and investigative software to
law enforcement, clarify that the Stored Communications Act
does not block criminal defense subpoenas to technology
companies, strengthen defendants' general third-party subpoena
powers, and require law enforcement to obtain exculpatory
evidence on behalf of the accused if defense counsel is unable
to obtain it directly.
Thank you for the opportunity to testify today. I look
forward to your questions.
[The statement of Ms. Wexler follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Thank you, Professor Wexler.
Mr. Tolman, you are now recognized for five minutes.
STATEMENT OF BRETT TOLMAN
Mr. Tolman. Thank you, Mr. Chair Nadler, Ranking Member
Jordan, and Members of this Committee, and thank you for the
opportunity to testify today.
I am encouraged by the Committee's decision to hold a
hearing to address concerns around law enforcement's
warrantless access to commercially available bulk data. These
concerns are valid, and I share them.
The Fourth Amendment affords Americans an expectation of
privacy with respect to their person and property such that if
law enforcement wishes to gain access to their personal
records, they must first establish probable cause to search to
secure a warrant which they make available to the individual
subject to search.
The Supreme Court has ruled that a person's expectations to
privacy under the Fourth Amendment follows them, not a
particular location. Well, what about an individual's digital
footprint? Is there a reasonable expectation of privacy
attached to both records containing an individual's digital
record? Yes. As such, the Fourth Amendment demands a warrant
predicate to access this information.
With constant evolution of technology and the digital
footprints that individuals generate as a result expose
opportunities for end runs or around the Fourth Amendment's
privacy guarantees. Therefore, use of technology by the
government upon its citizens must be subject to constant
scrutiny. To that end, I am critical of the law enforcement
practice of purchasing databases in bulk which they then mine
or dare I say search for incriminating information against
unwitting citizens as violating the expectation of privacy
guaranteed under the Fourth Amendment. This access by law
enforcement of an individual's digital records and movements is
purchased, rather than obtained by a warrant as required by the
Fourth Amendment.
Americans' personal data is sold to law enforcement
unbeknownst to them and for the purpose of investigating or
surveilling. This is a violation, plain and simple.
Congressional attention and oversight concerning the law of
transparency and basic information relating to law
enforcement's access to an individual's digital movements must
persist to ensure the rights of citizens are not sacrificed on
the altar of technological innovation. Private technology
companies that contract with law enforcement harvest billions
of photos posted by unsuspected users on platforms such as
Facebook, YouTube, Venmo, and TikTok. This collection and data
grab amounts to unprecedented invasions of privacy that places
enormous undue control in the hands of the government and big
tech, two entities not always known for their light touch or
responsible use of power.
Just because law enforcement collects the data from a third
party that maintain the same for commercial purposes does not
negate one's reasonable expectation of privacy when the data
tracks their movement and location. Inevitably, law enforcement
will default to reliance on unfettered access to digital
records from third parties, if permitted to bypass a warrant.
They may do so touting laudatory uses such as identifying
missing persons, but a right abuse for any reason is still an
abuse and its expansion and use is inevitable.
Our Founding Fathers deliberately and prudently enshrined
in the Bill of Rights prescriptions on the wanton search of
Americans as a necessary bulwark for freedom. It is hard to
square these notions and protections with the unfettered access
to digital records that can instantaneously reveal an
individual's identity, location, communication, movements,
associations, and otherwise.
Americans have long prided themselves on our ability to
refuse the government unless it has legitimate cause to
interfere with our liberty. Our police, at least in the absence
of reasonable suspicion of wrongdoing, are supposed to rely on
the consent of the citizenry and their interactions. The
unfettered power to mine personal information with little
public awareness or transparency stands this principle on its
head.
Law enforcement has already accessed all the information
needed to track down. Americans are placed in a position where
they must choose between the convenience and necessity of
technology against their right to privacy from government
surveillance. Furthermore, we cannot ignore the risk that
access to commercially available digital records without a
warrant will be used to target certain Americans. Consider the
chilling effect if the government could sidestep the probable
cause necessary to obtain a warrant from the court and simply
purchase the data necessary to target an American or groups of
Americans for surveillance, while protections are in place to
ensure that targets are not politically motivated or otherwise
motivated in support of an agenda having nothing to do with
public safety.
Not long ago, I was tasked with leading the effort in the
Senate to reauthorize the Patriot Act. We heard similar
assurances years ago by both leading the Department of Justice
and the FBI about FISA and those surveillance authorities are
not turned against honest Americans. We are seeing how that
worked out as outlined in the recent and disturbing Inspector
General reports.
One needs only to look no further than Russia's and China's
unconscionable and unfettered control over the digital
footprint of its citizenry where no expectation of privacy
exists to appreciate the limitations the Fourth Amendment
places upon government agencies in America. Significant
restraints are necessary for privacy protections to catch up to
the rapidly-advancing capabilities of technology. Americans
deserve transparency as to the nature of law enforcement's
access to data held by third parties containing information for
which they had a reasonable expectation to believe was private.
Thank you once again for the opportunity to present these
concerns to the Members of this Committee.
[The statement of Mr. Tolman follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Thank you, Mr. Tolman.
Ms. Goitein, you are now recognized for five minutes.
STATEMENT OF ELIZABETH GOITEIN
Ms. Goitein. Chair Nadler, Ranking Member Jordan, and
Members of the Committee, thank you for this opportunity to
testify.
It is often said that the law fails to keep up with
technology. When it comes to the government's access to
Americans' personal data, that is an understatement. Advances
in technology have rendered old Fourth Amendment doctrines
obsolete and have opened enormous gaps in the laws passed by
Congress. The government is exploiting the resulting legal
loopholes to obtain Americans' most sensitive information
without a warrant, subpoena, or any legal process whatsoever.
Let's start with the Fourth Amendment. Decades ago, the
Supreme Court held that people have no Fourth Amendment rights
in information they voluntarily share with a third party, such
as a phone company. Whatever merit the so-called third-party
doctrine had in the 1970s, it makes no sense in the digital
era.
Today, it is virtually impossible to go 24 hours without
disclosing highly-sensitive information to a multitude of third
parties. Our internet searches and the websites we visit are
logged by internet service providers. Our cell phones record
our movements throughout the day, revealing visits to
therapists, doctors, or houses of worship. Every online
purchase creates a lasting digital record.
The Supreme Court has finally begun to catch up. In 2018,
the court held in Carpenter v. The United States that the
police need a warrant to collect a week's worth of cell phone
location information, even though customers share that
information with the phone company. The court reasoned that
this information could reveal the most intimate details of
someone's life--their associations, habits, even beliefs.
Moreover, there is really nothing voluntary about sharing this
information, because cell phones are not optional in modern
society.
Despite this ruling, investigative reporters have
discovered that Federal agencies have secretly been paying data
brokers to gain access to vast troves of Americans' personal
data including cell phone location information. Agencies that
have bought such data include the FBI, DEA, the Department of
Defense, and as confirmed by thousands of pages of FOIA
documents released by the ACLU yesterday, the Department of
Homeland Security. Even the IRS, according to the Wall Street
Journal, purchased access to a database containing location
information for millions of American cell phone records.
Given the Carpenter decision, how can the government obtain
Americans' geolocation information, sometimes in massive
quantities, without getting a single warrant? It turns out
agency lawyers have interpreted Carpenter to apply only when
the government compels companies to disclose data. When the
government nearly incentivizes such disclosure by writing a big
check, the warrant requirement just disappears. This is legal
sophistry, but realistically, it could take years for the
courts to settle that question.
That leaves us, for now, with statutory protections. The
Electronic Communications Privacy Act prohibits providers of
communications or computing services from disclosing customer
information to the government without a court order or
subpoena. The law is woefully outdated. The companies it covers
do not include many app developers or digital data brokers. It
is not that Congress chose not to include them. Those entities
simply didn't exist in 1986 when ECPA was passed.
This gap creates an easy end run around the law's
protections. Companies that are prohibited from selling their
data to the government can sell it to a data broker instead,
and the data broker can turn around and sell the same
information to the government at a handsome profit. The
information is effectively laundered through a middleman. Many
app developers can sell geolocation data directly to the
government, although in practice, they usually operate through
data brokers as well.
Easy government access to Americans' Fourth Amendment
protected information doesn't just violate our privacy. It
invites abuse, in particular, the targeting of people or groups
based on race, religion, or political activity. We have seen
this already. The Department of Defense purchased access to
geolocation information from popular Muslim prayer and dating
apps. Police departments used a data broker to track people who
attended racial justice protests in Ferguson and Baltimore.
It is time for Congress to step in. Chair Nadler and
Representative Lofgren have introduced the Fourth Amendment Is
Not For Sale Act, which would prohibit law enforcement and
intelligence agencies from buying data that they would
otherwise need a warrant or subpoena to obtain. The Brennan
Center supports this legislation, and we urge this Committee to
advance it quickly.
Thank you and I look forward to your questions.
[The statement of Ms. Goitein follows:]
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. I thank all the Witnesses for their
testimony. We will now proceed under the five-minute rule with
questions. I recognize myself for five minutes.
Professor Lamdan, in your opening statement, you mentioned
that personal data is combined into dossiers for government use
and for integration with designer data companies specializing
in data products.
How does personal data flow to larger brokerage firms and
how is it combined into marketable packages for law enforcement
and government entities?
Ms. Lamdan. So, there are a series of different pathways.
There is no one way that these data sets get into these
dossiers. There are major companies that collect data from over
10,000 sources. Those companies began as public records
collectors, so they were collecting like DMV rolls, voting
rolls, public records that were already available and
acceptable. Then they just kept kind of accumulating more and
more sources to what Elizabeth just mentioned about how if the
government wants to get data from a particular entity or a
particular app or particular data company or source, rather
than selling it directly to the government, if the company or
the app or whatever the entity is sells it to one of these
major data brokers like LexisNexis, or an Oracle, or you know,
one of these large, data dossier companies, then those data
dossier companies will license data streams to the government
agency that contracts with them. So, that is how our personal
data from say using Facebook or using the GPS on our phone
makes its way to the government. It gets collected piece by
piece and then placed in a large data document associated with
your name.
Chair Nadler. Thank you. Professor Wexler, in cases where
prosecutors fail to collect Brady information, what prevents
the defense counsel from simply purchasing potentially
exculpatory evidence from data broker themselves?
Ms. Wexler. Thank you for the question, Chair Nadler.
Beyond financial barriers and the possibility defense counsel
might not know exculpatory information exists like flaws in the
data collection method, some companies refuse to sell data or
investigative software to anyone other than law enforcement
customers, so they just flat out say no.
In addition, data companies don't generally sell
information about flaws in their methods. They are likely
instead to claim that information as a trade secret and refuse
to even disclose it subject to a subpoena.
Finally, some privacy statutes including the SCA, as
interpreted by the courts today, bar private entities from
disclosing certain information to defense counsel even if there
is a subpoena and a court order that the information is
necessary to the administration of justice.
Chair Nadler. Thank you. Chair Goodlatte, there is a
disturbing lack of transparency when it comes to how Americans'
detailed personal information reaches law enforcement or the
government, whether it is through data broker purchases or
geofence warrants.
Are law enforcement and the Federal government buying their
way around due process protections? Do you believe that was the
intention of the Electronic Communications Privacy Act when it
was first passed?
Mr. Goodlatte. I don't think the Electronic Communications
Privacy Act when first passed contemplated this being an issue
at all since at that time access to information in emails was
probably the primary thing that could be obtained. As has been
mentioned, the evolution of the internet has been so dramatic
since then that automatically information of all sources is
being gathered and people don't even realize how much
information is gathered.
I counted yesterday that I have 160 apps on my phone,
probably half of those are tracking various pieces of
information about me that is being stored somewhere and it is
available to be sold to somebody. As I said in my testimony,
when it goes to the government, I think they are indeed going
around the intent of the Fourth Amendment when they are allowed
to buy that when otherwise they would be required to have a
warrant.
Chair Nadler. Thank you. Professor Lamdan, similar to
predictive policing, can analysis of these complicated data
sets predict who is likely to get pregnant, when they are
likely to get pregnant, or similarly, who is likely to seek out
an abortion, whether it is based on age demographics, income,
location or other factors?
Ms. Lamdan. Absolutely, yes. Predictive analytics can be
built to serve all sorts of needs and there is so much data,
there is such a wealth of data available about our internet
searches, who we have been messaging, what about our period
trackers, all sorts of health apps that it would be very easy
to make that kind of a predictive analytic system.
Chair Nadler. Thank you. I thank our Witnesses for their
excellent testimony. Before I yield back, without objection, I
will enter into the record a statement for the record by
Caitlin Chin, Fellow at the Strategic Technologies Program at
the Center for Strategic and International Studies.
[The information follows:]
CHAIR NADLER FOR THE RECORD
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. Mr. Biggs.
Mr. Biggs. Thank you, Mr. Chair. Thank you for holding this
hearing today and I appreciate the Witnesses being here. I have
read all your testimony and listened today and read the
guidance for both the majority and the minority.
Mr. Chair, I would urge you to bring the Fourth Amendment
Is Not For Sale Act up for a markup in this Committee as soon
as possible. I think it is really imperative that we do that.
It is nearly impossible for an individual to participate in
American society today and not have their data collected and
sold. So, I am really concerned about this. Probably eight
years ago at a forum I was at, Walmart was talking about their
capacity to obtain information and they probably have the
biggest database on consumers in the world at that time. Now,
with data aggregators and data brokers, our government now has
probably easily surpassed that and also private businesses as
well.
Ms. Lamdan, companies--if I understand this right, with
geo-
tracking, geolocation data, companies are able to basically
know where individuals are based on the data collected from
their cell phones. Is that right?
Ms. Lamdan. Yes, that is correct.
Mr. Biggs. So, I was called to mind in the majority
briefing in March of 2019, a Gainesville, Florida man was
arrested based on the fact that this geolocation data indicated
he kept passing the home where a burglary took place. Turns out
that was his biking route, and it was his exercise app.
So, Ms. Goitein, with access to geolocation data the
government can track anyone's movements throughout the city,
not just where they are, but their movements as well. Is that
fair to say?
Ms. Goitein. Absolutely, and that is why it is so revealing
because it can reveal not just where someone was at any given
time, but their patterns of life, their movements throughout
the day, and over the course of even longer periods of time, it
can really reveal everything.
Mr. Biggs. This information is accurate? At least as far as
geolocation goes, necessarily? That phone is where the data
indicates. Is that fair to say?
Ms. Goitein. Well, it is accurate enough to be extremely
violative of individuals' privacy while simultaneously leaving
enough room for error that people are falsely flagged with this
information, and that is also a real problem.
Mr. Biggs. Sure. So, I mean you would obviously have some
kind of confirming evidence you would think other than just
geo--
Ms. Goitein. One would hope.
Mr. Biggs. Yes, one would hope. If I understand this right
and I am going fast because I only have five minutes.
Government, business, even individuals can actually buy this
information from brokers. Is that fair, Ms. Goitein?
Ms. Goitein. There is a wide range of clients and it
includes all the entities you mentioned.
Mr. Biggs. I just want to just clarify to make sure I get
it right. This data could indicate where, when, and how often a
person goes to a certain location or some proximity, is that
fair to say to the panelists?
Ms. Goitein. Yes.
Mr. Biggs. Thank you. So, similarly, if a group acquired
geolocation data for certain locations such as ballot drop
boxes, they would be able to identify frequent visitors to
those drop boxes to uncover a pattern of potentially illegal
ballot harvesting. Unfortunately, too many officials have
dismissed this, but if you had and as we just clarified, if you
had additional video evidence of someone being at a location,
confirming the geolocation data, that would be pretty
important.
So, one tech researcher has indicated
is geotracking of incredible accuracy mentioned in the
film 2000 Mules possible and being used today?
Absolutely. It is obtainable by anyone willing to pay the
right amount of cash. Yes, and it is far more detailed than you
know.
That is fair to say that this is more accurate than most
people even realize and when you have separate, verifying
evidence that might verify that, Chair Goodlatte, that would be
pretty impressive evidence, would it not of someone being at a
location doing a certain thing?
Mr. Goodlatte. If you have probable cause to obtain the
information, then certainly I have absolutely no objection to
law enforcement securing the type of information we--
Mr. Biggs. I am talking about, for instance, in the 2000
Mules movie where they have--they use geotracking location to
identify certain movements of individuals via phones and they
actually went through and found the video evidence indicating
that person was sticking a bunch of ballots in a box at a
certain time. That would be pretty compelling evidence, would
it not?
Mr. Goodlatte. If you have corroborating evidence, yes.
Mr. Biggs. Thank you. Mr. Chair, I have a number of
articles I would like to submit to the record. A New York Times
article, ``Defense Firm Said U.S. Spies Backed Its Bid for
Pegasus Spyware Maker.'' ``FBI Secretly Bought Israeli Spyware
and Explored Hacking U.S. Phones.'' ``FBI Told Israel It Wanted
Pegasus Hacking Tool for Investigations.'' Finally, another
article by--all these are The New York Times, the last one
being, ``The New Spy Wars,'' and I ask that they be admitted.
Chair Nadler. Without objection.
[The information follows:]
MR. BIGGS FOR THE RECORD
=======================================================================
[[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Mr. Biggs. Thank you and I will yield back. Thanks, Mr.
Chair.
Chair Nadler. The gentleman yields back. Ms. Lofgren.
Ms. Lofgren. Thank you, Mr. Chair. I am pleased to have
been involved with the introduction of this bill with you, Mr.
Chair, and working with our Senate counterpart, Mr. Wyden. I am
encouraged by the bipartisan support that has been expressed
for this measure today. I think it is essential that we move
this bill. It is essential, but also insufficient.
Many people, I think in their zeal to see the immigration
laws enforced don't realize that the Department of Homeland
Security and specifically ICE is one of the biggest privacy
offenders in the government. ICE has scanned the driver's
license photos of one third of Americans. ICE has access to
driver's license data of three quarters of adults in the United
States. ICE tracks the movements of drivers in cities that are
home to three and four American adults and ICE could locate
three and four adults through their utility records. It is a
massive privacy violation.
I would like to submit for the record several articles;
one, an ACLU article, ``New Records Detail DHS Purchase and Use
of Vast Quantities of Cell Phone Location Data,'' as well as an
article from the Intercept, ``ICE Search LexisNexis Database
Over 1 Million Times in Just Seven Months,'' and finally, from
the Center on Privacy and Technology, a publication called
``American Dragnet.''
Chair Nadler. Without objection.
[The information follows:]
MS. LOFGREN FOR THE RECORD
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Lofgren. I would like to ask you, Mr. Goodlatte,
whether you think, and by the way, thank you for being here. It
is good to see you. Whether you think the Fourth Amendment Is
Not For Sale measure as drafted would basically address the
sort of dragnet around the Fourth Amendment issue that we have
been discussing here. Does it get the job done?
Mr. Goodlatte. I think it would go a long way to addressing
some of the concerns that have been expressed and it would
cover all kinds of different types of actions. We have had
discussion here about Planned Parenthood clinics people
visiting those, but you also would have similar concern about
people visiting gun stores. So, this is a situation where the
principle of protecting people's rights under the Fourth
Amendment has to come first and we certainly support the right
of State and Federal law enforcement to enforce their laws, but
they have to do it following the rules.
I think this would help, but there are other issues,
geofencing location, for example, is not addressed by this
bill. There was a recent court opinion that struck down a
geofence warrant and that may be a good sign, but I think that
is something also that the Committee should look into very
closely. Then you have issues that don't really address the
jurisdiction of this Committee, but the sale of this
information to foreign governments, for example, is not covered
in the legislation and there should be separate legislation
addressing that.
Ms. Lofgren. Well, maybe that is something we can talk
about along with our Senate counterparts. I think this is
important to move forward on, however, the fact that our data
is being collected is an underlying problem and we need to do
something about that in addition to moving this action.
Congresswoman Eshoo and I introduced the most comprehensive
Federal privacy legislation in Congress called the Online
Privacy Act. It would set forth the most thorough and
aggressive set of privacy rights among the major proposals in
Congress. I wouldn't ask any of the Witnesses to take sides
along the various measures that are being introduced, but one
of the measures that I think is pending in the--our sister
Committee Energy and Commerce, would allow data brokers to
continue to collect Americans' data as long as the data broker
is acting on behalf of the Federal, State, or local
governments. So, that would include purchase of this material.
Would you agree with that, Ms. Goitein or Professor Lamdan?
Ms. Goitein. I think it is very important to ensure that
the Federal government or State or local governments cannot buy
their way around the protections in existing statutory law and
the Fourth Amendment. I think any sort of comprehensive privacy
legislation would need to tackle that. I will also say that
while I very much support comprehensive data privacy
legislation, and I think that is an effort that Congress should
throw itself into, I also think that Congress should move ahead
very quickly with the Fourth Amendment Is Not For Sale Act
because there is no reason to delay that. I think what Congress
needs to do is to close the gaps that have opened in existing
laws that are allowing the government to evade those laws while
simultaneously taking on the larger project of expanding the
universe of privacy protections.
Ms. Lofgren. My time has expired. I very much agree with
you, and I yield back, Mr. Chair.
Chair Nadler. The gentlelady yields back. Mr. Issa.
Mr. Issa. Thank you, Chair Goodlatte, good to see you. I
will concentrate some of my questions on you.
From a constitutional standpoint, our Founding Fathers, I
presume that while they were protecting against the British
pounding on the door and coming in looking for venison to find
out whether you were a poacher without a warrant, I am assuming
that if they went down the street to the pub and asked, has
Clancy been in here today, it was legitimate to ask that
without a warrant.
Would that be a fair depiction of the status quo 240 years
ago?
Mr. Goodlatte. Yes, it would and through most of American
history that would be the case and probably not viewed as a
problem. It is the change in technology that has evolved,
particularly since ECPA was passed and we have tried to reform
it that the massive amount of information that is gathered
without people even knowing that it is being gathered, and the
fact that information in the past was about some of the very
personal things that people have would have been in their own
possession, not in the possession of a third party stored in
the cloud if you will. That changes that and I think
necessitates both the court's evolution which we have seen in
recent cases, and the need for Congress to act.
Mr. Issa. So, now let's skip forward a quarter of a
millennium or stay back there for a moment. That same example,
if not law enforcement, but a friend was to knock on your door
and you opened it and you let him in, he would be entitled to
notice the smell of venison and could be queried on that,
right?
Mr. Goodlatte. It would be.
Mr. Issa. If he went down the street and said has Clancy
been in and the bartender said yes, he was in, and he staggered
out a little while ago, that would be okay?
Mr. Goodlatte. It would.
Mr. Issa. So, really this is not a new problem, but in
fact, a problem in the making not just for law enforcement
which I understand that we are looking at the government here
today, but my question to you is the data that we are in many
cases talking about in the hands of Google, through android, of
Apple, and a myriad of other original source gatherers is being
provided to the guy that isn't law enforcement, but simply
somebody who will buy and whether that is a data broker or the
Russian Government, the Chinese Government, or a myriad of
other people, personal data that is the equivalent of what was
safely held within your house is being made available broadly
to anyone who will buy. Is that a fair statement?
Mr. Goodlatte. It is.
Mr. Issa. So, as we, as a Committee, look at this and I
realize there are other Committees with some jurisdiction, not
the least of which would be Energy and Commerce, our challenge
is to restore the original intent, the original intent being
that which is held to be yours and reasonably expected to be
for privacy must be returned to privacy not just for law
enforcement, but for all those who would seek to gather it and
then purchase it.
Mr. Goodlatte. Well, I would recommend that this Committee
and other Committees look at all those examples, but this
Committee has primary jurisdiction over the intent of the
Fourth Amendment which is to prohibit government and by that I
mean U.S. Federal, State, and local government from getting
access to your data without probable cause.
Mr. Issa. Now, I have a question for each of our Witnesses.
Almost all you, I am sure are familiar with the HIPAA laws.
HIPAA defines this privacy of personal, medical information
specifically and limits both law enforcement and everyone else
from sharing that data without informing and without your
consent.
Do each of you agree that what we really need is the
equivalent of HIPAA for all information that would be on that
side of maybe publicly disclosed, but not intended to be
disclosed, including, but not limited to if the doctor says how
are you feeling today in the waiting room, that does not
suddenly make the answer well, I have got a cold, be something
for dissemination. Quick answers if I could, because to me this
is the essence of our question.
Ms. Goitein. HIPAA has the advantage of restricting
disclosure to nongovernment entities as well. HIPAA has some of
the same drawbacks as some of the other privacy laws in that it
protects only personally identifiable information, and
healthcare providers are selling their data in aggregate, which
can then be de-anonymized
HIPAA also only covers certain healthcare institutions and
providers. It does not cover, for example, app developers that
would acquire some of the same data. So, there are aspects in
which HIPAA works better and especially the one you mention,
but there are also some design flaws as well.
Mr. Issa. I guess, all else, if I don't hear they agree.
Mr. Chair, we can do better than HIPAA in this Committee. With
that, I yield back.
Chair Nadler. The gentleman yields back. Mr. Cicilline?
Mr. Cicilline. Thank you, Mr. Chair, for convening this
group of experts for today's hearing to discuss how the
government uses personal data and how it collects it. Countless
corporations collect, store, package, and sell our personal
data. This has become an unavoidable feature of the 21st
century, and I think few Americans understand what happens to
their data after it's been collected and even fewer grasp the
ways law enforcement can access and use their data.
We have a right to our data and a right to know how it's
used and accessed, especially by large corporations and law
enforcement. With that, I have a couple of questions. I first
want to say welcome to Chair Goodlatte. It's great to see you.
So, my first question is, Professor Lamdan, there's been--I
know some companies allow users to opt out of data collection
or review privacy policies. Apple is always very proud of
allowing iPhone users to change privacy settings for activity
conducted on its platform. Do companies need to provide notice
to users that their personal data is being collected by the
companies that acquire it and are users typically aware their
information is being retained and then sold.
When they do provide notice, is it usually in a way that an
average user understand the consequences? I guess what I'm
really getting to is, on the whole, do you believe allowing
consumers to choose what data is collected is an effective
solution to protect consumer privacy against government access
to personal data sets? Or does more need to be done as a
practical matter to protect consumers?
Ms. Lamdan. That's a really good question. The answers is
unfortunately, no, that's not sufficient. We all know, we all
click, I agree, multiple times a day. Those agreements are all
just saying that basically whatever data we hand over, it
becomes theirs.
They can sell it to whoever they want. We will not know
what happens with that data afterwards. So, yeah, obviously,
there's a real shortcoming in our current kind of end user
license agreement system where you just agree to have your data
taken and resold in perpetuity.
Mr. Cicilline. Is it fair to conclude that most Americans
have no idea that they are consenting to the sale of that data
to third parties?
Ms. Lamdan. Yeah, absolutely, absolutely. Also, in a lot of
situations nowadays, companies try to make users feel more
comfortable by saying, hey, we're going to anonymize your data.
We're going to strip your name out of it. Nobody is going to
know it's you.
Google does that a lot. Your data can be re-identified with
just several other data pieces about yourself. So, yeah,
anonymization is also an illusion.
Mr. Cicilline. A Norwegian study found that Perfect365,
MyDays, and OkCupid shared user data with a large number of
third parties, including IP addresses, GPS locations, age, and
gender. Furthermore, a lot of this information is collected by
third party trackers deployed by apps and the websites. So, my
question is, Ms. Goitein, how does the sale of such information
to enable law enforcement or the government the ability target
Muslim Americans as an example, LGBTQ+ Americans, other
religious groups, or other historically underserved
communities? Have you see examples of that kind of use?
Ms. Goitein. The short answer is yes, we have seen
examples. I will say that the practice of buying data and the
ways in which government agencies use that data is extremely
non-transparent. There has been just a remarkable lack of
transparency or even acknowledgment by government agencies that
they are doing this, let alone any details about how the data
is being used.
We have certainly, through the efforts of investigative
reporters, found out, for example, as I said earlier, that the
Department of Defense was acquiring geolocation information
from a popular Muslim prayer app that's used by 98 million
people around the world, including people in the United States
as well as a Muslim dating app. Police departments, we know,
have contracted with data brokers who advertise their ability
to track racial justice protesters, Black Lives Matter events,
and the like.
So, we have absolutely seen that. It shouldn't be
surprising, because when law enforcement has to actually get a
warrant, has to show probable cause of criminal activity, that
makes it much harder for law enforcement officers to fall back
on conscious or subconscious prejudices. When there are no such
restrictions, you are going to see more targeting of
marginalized communities. I'm sorry to say that is certainly
what we are seeing, and we'll see more of.
Mr. Cicilline. Thank you. Chair Goodlatte, if the
government can target one community, they can target any. How
concerned should we be that the government or law enforcement
is able to purchase such information in criminal or
counterintelligence investigations with little concern for
Fourth Amendment protections.
Mr. Goodlatte. Well, I think they should be able to acquire
that data as long as they're following the rules. They have
some basis for showing probable cause that they should have
access to the information. Right now, we have a situation where
we've shown a number of examples in our testimony here today of
government agencies.
By the way, we've mainly talked about the Federal
government. State and local governments are very heavily
involved in this as well. They're simply going around the
requirement of showing a warrant by gathering massive amounts
of data and then picking at that data. When they co into court,
they reverse engineer the evidence to show, yes, this person
did this, this, and this, and don't show that they originally
targeted their suspect by looking at thousands of law-abiding
citizens to find the one.
That is exactly what the Fourth Amendment was designed to
address and why the Congress needs to Act here. The courts are
moving in this direction as well with the Carpenter decision,
with the Riley decision. We shouldn't wait for the years it
will take for the courts to catch up with this technology.
Mr. Cicilline. Thank you. With that, I yield back. Yield to
you, Mr. Chair.
Chair Nadler. Thank you. Very quick question to Ms.
Goitein. You mentioned--everybody has mentioned that the
government tracks Muslims. Do they track other religious groups
like Jews or Baptists?
Ms. Goitein. They could track anyone they want. I mean,
these companies--
Chair Nadler. Do we have any knowledge whether they do?
Ms. Goitein. We don't at this point. Again, absence of
evidence is not evidence of absence--
Chair Nadler. Of course. Of course.
Ms. Goitein. --in a situation where there is absolutely no
transparency.
Chair Nadler. Thank you. Mr. Jordan?
Mr. Jordan. Thank you, Mr. Chair. On that feed, Mr. Tolman,
has geotracking been used for political purposes? I mean, I
think about 12 years ago, we know the IRS specifically targeted
conservatives. We know that the FBI targeted a presidential--
the conservative presidential campaign.
As Mr. Goodlatte pointed out in his testimony; the FBI has
conducted 3.4 million warrantless searches. Homeland Security
tried to form a disinformation governance board just a few
months ago. Of course, the DOJ as we speak is currently
targeting moms and dads that show up at school board meetings.
So, I want to know if this kind of data geolocation has been
used in a political manner as well.
Mr. Tolman. There's no question that it has, Mr. Jordan. I
think you highlight one important aspect of this and that's who
is in power focuses on who their adversaries are. We see that
DOJ does that and they have done that.
It's especially concerning when you view its use in
connection with the secrecy of FISA and the other ability that
they have to justify what decisions they make. I'm aware of an
individual who received a knock on the door because he was in
Washington, DC, on January 6th. He did not go in the Capitol,
was not there for the rally. He was contacted by an FBI agent
because he was in Washington, DC, on that day.
Mr. Jordan. Didn't even attend the rally, but just happened
to be in the Capitol city--his Capitol city that his tax
dollars pay for.
Mr. Tolman. That's correct.
Mr. Jordan. Yet he had a knock on the door and had to
answer a few questions from the FBI?
Mr. Tolman. That's correct. There's no other way that they
could've known that information, but for the digital footprint
that he left with his phone.
Mr. Jordan. Would you agree, Mr. Tolman, that Mr. Nadler's
bill is a good step in the right direction to begin to deal
with this problem?
Mr. Tolman. It absolutely is. I think it's encouraging
that's bipartisan on this particular issue, because there's
nothing more important right now than reigning in government
potential abuse.
Mr. Jordan. Let me just go down the line. Maybe I'll start
with our Witnesses here in person. Do you have similar--because
I also have concerns about facial recognition technology and
how that can be used. Do you have similar concerns, Ms.
Goitein?
Ms. Goitein. About facial recognition technology?
Mr. Jordan. Yeah.
Ms. Goitein. Absolutely. I think that is one of the
scariest technologies out there because it could wipe out any
form of anonymity that we have in our society. We've seen the
way it's been abused in countries like China, which uses
technology to track and essentially persecute the Uyghurs, a
Muslim minority in that country. We also know that it doesn't
work very for people of color and seniors and women.
Mr. Jordan. Right. Huge percentage where they're wrong when
we're talking about African Americans and other minority
groups.
Ms. Goitein. People have been falsely arrested in front of
their children.
Mr. Jordan. Yeah. We were working in a bipartisan way with
Chair Maloney on trying to get some legislation last Congress.
Unfortunately, we didn't get it done. I hope it did. Mr.
Goodlatte, I assume you share the same concerns.
Mr. Goodlatte. Absolutely. Again, going back to the
question that Mr. Issa had, the difference between the broader
scope here and the narrower scope of this legislation is those
entities, corporations, governments outside the United States,
we should address those, absolutely. They cannot pound on your
door, knock I down, arrest you, prosecute you, imprison you,
fine you, tax you, and regulate you. Only government can do
that, and that's why this legislation is unique and ought to be
taken up.
Mr. Jordan. Yeah, it's called the Fourth Amendment,
exactly. Ms. Lamdan?
Ms. Lamdan. Yeah, I agree with everything everybody said. I
would add that's one of the reasons why it's so important to
also make sure that the large data brokers are included. Like,
not just the facial recognition and geospatial geolocation data
brokers because one of my fears is that if we focus on facial
recognition, then the facial recognition companies will just
sell their data to one of the major data brokers and it's still
found its way into the government. So, yeah, I think that--
Mr. Jordan. Yeah. No, we got to stay ahead. I remember a
few years ago I was concerned about the stingray technology.
The IRS had bought this technology which allowed this device to
function like a cell tower.
Now, that's outdated and they're way past that. So, we
don't know what's coming next. So, yeah, we got to make sure we
design it right. This is certainly important legislation that
needs to happen. With that, Mr. Chair, I would yield back.
Chair Nadler. The gentleman yields back. Mr. Johnson of
Georgia?
Mr. Johnson of Georgia. Thank you, Mr. Chair. I've listened
carefully to the testimony. I would just want to point out that
as we have entered the information age with so much information
being available to all for a fee. Why not allow the law
enforcement agencies to purchase specific data for their
purposes?
I'm speaking along the lines of Representative Issa who
talked about law enforcement just doing not surveillance, but
just doing old fashioned shoe leather investigatory work, going
around asking questions, looking at cameras in a public camera
that's mounted on a pole. Those things can happen these days.
What I'm interested in is understanding among law enforcement
agencies, both local, State, and Federal, which law enforcement
agencies are the most prolific purchasers of data? Can any of
the Witnesses inform us of that?
Ms. Lamdan. Well, it's hard to tell because there's a real
lack of transparency as Elizabeth has been saying around what
these contracts entail and what entities these agencies are
contracting with. I do know--it's well known that ICE is a
major--they're developing big infrastructure that focus on
predictive policing analytics and data brokering analytics. I
think if people knew how many State and local law enforcement
agencies who are also using these technologies, they would be
shocked.
Mr. Johnson of Georgia. That's what I'd like to know. Who
are the agencies? Are they State, local, or Federal? Can you
identify those agencies?
Ms. Lamdan. So, I know that LexisNexis alone contracts with
over 1,300 local and State law enforcement agencies and I'm
not--a lot of agencies--
Mr. Johnson of Georgia. Well, what kind of data?
Ms. Lamdan. For all--
Mr. Johnson of Georgia. What kind of data?
Ms. Lamdan. All the data. They sell data dossiers
containing--
Mr. Johnson of Georgia. But, generally speaking, what kind
of data is mostly sought by law enforcement agencies?
Ms. Lamdan. So, they purchase data dossiers that contain
over 10,000 types of data from 10,000 different sources. It's
billions and billions of data points that are everything from
your job history, geolocation data, work history, home address,
all your licenses, and voting records.
Just everything, and more and more they're also buying
predictive policing technologies. So, those are algorithms that
kind of sift through that data and predict--they draw up heat
lists about who's most likely to commit a crime, where those
people are, who their associates are.
It's really, really invasive and I don't think there's a
kind of data that isn't included.
Mr. Johnson of Georgia. Let me ask you this question. What
entities or individuals are the prime targets of this data
collection by the agencies that are most prolific in collecting
that data?
Ms. Lamdan. I mean--
Mr. Johnson of Georgia. We don't know who that is, but tell
us what kind of data are they seeking and against whom.
Ms. Lamdan. It tends to disparately impact people who
already have a lot of data in the criminal record system, which
is usually people of color, especially Black men, and then--
Mr. Johnson of Georgia. So, we're, basically, talking about
local law enforcement agencies developing information on
criminal suspects who are thought to, perhaps, have violated
State laws?
Ms. Lamdan. Yeah. Go ahead.
Ms. Goitein. If I could just jump in on that.
When you ask who is being targeted, I think that one of the
main problems is that no one is being targeted. It's a dragnet.
What we are seeing is agencies purchasing entire databases
of information so that they can sift through that and decide--
maybe they have someone of interest or maybe they're looking to
see suspicious patterns so they can decide who they want to
learn more about. This is not a situation where they have
probable cause that someone has committed a crime and so they
are looking for data that would support that.
Mr. Johnson of Georgia. Just proceeding on a reasonable
suspicion, a reasonable articulable suspicion, shouldn't law
enforcement--shouldn't law enforcement be able to deal with
data on that basis?
Ms. Goitein. It depends on how sensitive the data is. If
the data is, for example, not geolocation, if it's some other
form of third-party records, then the standard can be
relevance, and then they have to show relevance to a court and
get what's called a D order. So, it's both the standard they
have to meet that is important, but also the process that they
have to follow.
Let me just--when you say ``reasonable suspicion,'' the
ACLU's documents show that during a three-day period in 2018
for just one piece of the southwestern United States, DHS
collected 113,654 location points. DHS did not have reasonable
suspicion for each one of those--for any of them. This was
dragnet collection so that DHS could then sift through that
data and decide what it wanted to do with it.
Mr. Johnson of Georgia. Thank you. I yield back.
Chair Nadler. The gentleman yields back.
Mr. Gaetz?
Mr. Gaetz. I've heard enough, Mr. Chair.
I believe that we could have bipartisan agreement on
legislation out of this Committee that might be our hallmark
achievement of this Congress.
I want to echo the point Mr. Issa made. It is not just the
government that engages in these really terrifying data
marketplaces. It's the Chinese Communist Party, Russia, big
corporations.
Chair Goodlatte, does the Walt Disney Corporation engage in
this terrifying data marketplace?
Mr. Goodlatte. I don't know the answer to that.
Mr. Gaetz. You're their lobbyist, right?
Mr. Goodlatte. I do work for them, but I don't know the
answer to your question.
Mr. Gaetz. So, you used to Chair this Committee. You come
here and you tell us about all the harm in this data
enterprise, but you don't know that--you're the Republican that
the Disney Corporation hired because they have problems with
the Republicans, and you didn't ever talk to them about this?
Mr. Goodlatte. I came here today to testify regarding the
importance of this legislation, which, as you noted, is
bipartisan and it relates to the importance of the government--
Mr. Gaetz. So, the LA Times says Disney is running the
happiest surveillance operation on Earth. Have you seen that
article from the LA Times?
Mr. Goodlatte. I have not seen it.
Mr. Gaetz. I think it would--okay. I think it might have
been when you were Chair that it came out.
Disney has actually been sued. They've been sued because
Disney installs software on applications used by children and
then they not only buy data from data brokers, but Disney also
then turns around and sells the data that they collect off of
children.
Are you familiar with that litigation?
Mr. Goodlatte. I am not.
Mr. Gaetz. There's a Forbes article that came out while you
were Chair of this Committee and it talks about the robots that
Disney sends around its park to collect data on the people at
the park to utilize. Quote, ``Disney is even dabbling in making
robotic versions of Mickey and Minnie and all of its characters
that would move around with the guests and interact with
them.''
So, as you sit here and talk to us about the harm of this
data enterprise, are you concerned that the people who pay you
also engage in that very same work?
Mr. Goodlatte. I think that it would be appropriate for the
Congress to look at data collection practices beyond the scope
of what this Committee is looking at here today.
I also think it's very important to understand that what
government can do with that data is very different than what
individual enterprises can do and so that's why I'm here to
talk about the Fourth Amendment--
Mr. Gaetz. Sometimes, right? I saw in your testimony you
say, well, only the government can tax you and only the
government can regulate you.
What I'm worried about is that private entities can try to
program you. They could try to get you to think a certain way
and they can use this data in a very harmful way.
Like, particularly, with the Walt Disney Corporation that
is in business with the Chinese Communist Party, that thanks
the Chinese Communist Party for all the accommodations they got
in the filming of ``Mulan,'' does it concern you that the Walt
Disney Corporation is selling the information of children?
Mr. Goodlatte. I don't know that's the fact.
Mr. Gaetz. Are you being purposefully ignorant to the fact
that Walt Disney engages in the very activities that you're
here testifying against?
Mr. Goodlatte. Well, I do not know the facts that you've
stated. So, I can't comment.
Mr. Gaetz. Well, right. Are you purposely not learning them
so that you can simultaneously take money from Disney to try to
make them look less evil to Republicans and then advocate on
behalf of other organizations before the Congress that critique
the very work that Disney is doing?
Mr. Goodlatte. I'm here to advocate on behalf of people who
are concerned about abuses of the Fourth Amendment.
Mr. Gaetz. Chair Goodlatte, do you remember a conversation
you and I had when you led this Committee at the Capitol Hill
Club where you said the best way to be successful in the
Judiciary Committee is to find interest groups that are opposed
to one another and to tell both of them that you'll support
their position so they'll both make donations to your campaign?
Mr. Goodlatte. I definitely do not remember the
conversation.
Mr. Gaetz. You're under oath, Chair.
Mr. Goodlatte. I do not. No.
Mr. Gaetz. Well, I hope that's not the case in lobbying as
well that you go and that as a legislator you try to find
interest groups to play off of one another.
Then as a lobbyist you go and take money from the Walt
Disney Corporation that is quite literally buying and selling
data in precisely the way that you find objectionable today.
I think it's a reason why a lot of people are concerned
about folks who go from being in Congress to being members of
the lobby corps and then using the relationships that they've
developed to sell influence, and that selling influence can be
just as damaging sometimes as the buying and selling of data.
The Walt Disney Corporation that goes against so many of
the values of their own patrons, certainly, isn't worthy of
that and since there's no Federal legislation on this issue, it
doesn't seem like it's preempted.
So, maybe if we had a really smart governor like Governor
DeSantis in Florida, they could actually have State-based laws
that would attack these issues.
Wouldn't that be quite a thing?
Mr. Chair, I now seek unanimous consent to enter a few
articles in the record.
All right. I have ``Disney takes over Hulu, a company with
serious data collection issues'' from komando.com.
I have from the LA Times ``Disneyland is tracking guests
and generating big profits doing it.''
I have from wdinfo.com ``Disney facing lawsuit over
collecting and selling children's personal information.''
I have ``Disney Uses Big Data, IoT, And Machine Learning To
Boost Customer Experience,'' and that is from Forbes.
Chair Nadler. Without objection.
[The information follows:]
MR. GAETZ FOR THE RECORD
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Chair Nadler. The time of the gentleman has expired.
Ms. Garcia?
Ms. Garcia. Thank you, Mr. Chair and thank you for
convening this very important hearing. I apologize. I was tied
up on the floor in a few matters.
I just want to say that it's just refreshing to see that we
have a bipartisan hearing this morning.
We simply cannot allow our government to descend into a
surveillance State. Enough Big Brother government snooping
around our lives. The Fourth Amendment's protection against
unreasonable search and seizure is not just a flowery phrase we
learned in law school and our Constitution.
The government cannot bypass constitutional limitations
through private contracting. Allowing law enforcement and
intelligence agencies to outsource their public function
through data brokers and obtain Americans' personal information
offends the rule of law.
This unchecked practice is a threat to our democracy. It
undermines our civil rights and our civil liberties. As history
has made clear again and again, unchecked government policing
weighs heavier on the already oppressed or marginalized--the
poor, communities of color, LGBTQ+ individualism and
immigrants.
Mr. Chair, I ask unanimous consent to enter for the record
several articles, one by Politico entitled ``Homeland Security
records show `shocking' use of phone data, ACLU says,''
secondly, Washington Post entitled, ``ICE investigators used a
private utility database covering millions to pursue
immigration violations.''Also, a Wall Street article, ``Federal
Agencies Use Cellphone Location Data for Immigration
Enforcement.''
According to these reports, the ICE--
Chair Nadler. Without objection.
[The information follows:]
MS. GARCIA FOR THE RECORD
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
Ms. Garcia. Thank you, Mr. Chair.
According to these reports, the ICE accessed databases
containing phone, water, electricity, and other utility
records. This data included 400 million names, addresses, and
service records for more than 80 utility companies, including
water, gas, electricity, phone, and internet--basic
necessities.
Professor Lamdan or Ms. Goitein, both of you, can you
describe the quantity of information available to ICE agents at
any given time or any other law enforcement that has similar
contracts?
Ms. Lamdan. Yeah. I compare the way these agencies get data
to a fire hose. They get data from thousands and thousands of
sources, updated in real time. They have billions of data
points, and they have these dossiers that are linked to each of
our names. They have over 30 million dossiers that are just
constantly getting updated with new data.
Then on top of that, they have data analytics that sift and
sort the data. So, even if I don't know somebody's full name or
I only know part of their phone number or Social Security
number, I can enter that tiny little bit of data about somebody
that I know and pull up their entire dossier, and then I can
sift and sort people based on where they are.
Ms. Garcia. Do you know any specific as to utility records
that are used against immigrants in terms of ICE?
Ms. Lamdan. Yeah. Yes. Specifically, so they often say that
when ICE tracks somebody and ICE locates somebody the first
thing people ask is, like, how did they know who I was? How did
they know where I live? That is linked to the NCTUE, that
utilities data, because it connects your home and license
plate.
It connects critical pieces of data about you together.
Then, that can be linked to all that other data--that fire hose
of data that is coming in.
So, it just gives ICE and other agencies just a really
robust data set to kind of have a lot of different ways to see
where you are at any given time, what you're doing.
People have been found based on Facebook posts that
they've--there was a woman who was selling pinatas and ICE
agents were able to track that Facebook post through these data
dossiers that include that utilities data to her, and they
offered to buy one of her pinatas as pretext to then arrest
her.
Ms. Garcia. Well, I like pinatas, for the record.
Professor, can you shed any more light on this particularly
regarding ICE?
I'm sorry. I thought there was a Professor Lamdan in the
group.
Ms. Goitein. There are two professors.
Ms. Lamdan. Yeah, there's two. Sorry. There are two
professors.
Ms. Garcia. Oh, I'm sorry. So, where's the other professor?
There she is.
Ms. Lamdan. Yeah, Professor Wexler.
Ms. Garcia. She's on the screen. I'm sorry. Since I got
here late, I didn't get to see everybody.
Ms. Wexler. The issue that I would like to highlight for
the Committee is that regardless of what data is being targeted
or who's being targeted, allowing the accused to challenge the
quality of the data is essential to prevent wrongful arrests
and accusations and convictions.
Thank you.
Ms. Garcia. Thank you.
Mr. Chair, I yield back. I see I only have one second.
Thank you.
Chair Nadler. The gentlelady yields back.
Mr. Bishop?
Mr. Bishop. Thank you, Mr. Chair.
Mr. Gaetz's questions had sort of focused my mind a bit. I
was somewhat taken, Mr. Goodlatte, with the suggestion that
past this bill our jurisdiction is focused on the Department of
Justice and so forth, how the Fourth Amendment is interpreted
and so we ought to focus on that.
Isn't it possible that proceeding in that way would just
empower private entities more? Can't private entities, when
they gather these massive stores of data, can't they be the
source of abuse?
Mr. Goodlatte. Oh, certainly, they can, and I believe that
legislation should be pursued in that regard as well. The fact
of the matter is this Committee has jurisdiction over this
narrower focus regarding protecting the Fourth Amendment.
The broader issue also should be addressed, but it
encompasses more Committees than just this one.
Mr. Bishop. Ms. Goitein, is that how you say your--
Ms. Goitein. Yes. Goitein.
Mr. Bishop. Goitein. Thank you.
Let me sort of pursue that also with you. So, it concerns
me that by proceeding to restrict government in the way the
Fourth Amendment Not For Sale Act would do that we would reduce
political pressure to deal with the rest and we might, in fact,
empower private entities to engage in abuse. What do you have
to say to that?
Ms. Goitein. I wouldn't say that at all. I really don't
think this is a zero-sum game here. I think we can build
privacy.
Start with the low-hanging fruit, which is these loopholes
that have opened in existing laws, because it's easy enough to
get those plugged, and the same time, you can be working on
expanding the universe of privacy protections. I don't think it
would remotely take away the political pressure because a lot
of the companies that we're talking about, really, have become
household words and villains, frankly. I think people are upset
about the ways in which advertisers and other corporate
entities are using their personal data without any meaningful
consent on the part of those people, as Professor Lamdan was
talking about.
I see no reason to fear that people will simply forget
about privacy issues if the government is required to adhere to
the legal process that the Fourth Amendment and Congress have
put in place.
Mr. Bishop. How about you, Mr. Tolman?
Mr. Tolman. Well, I would say that the first order of
business is to make sure that there is transparency and
accountability with government. If you can't do that, then when
you seek to rein in the private sector you are incapable of
utilizing government to do so.
Mr. Bishop. Ms. Wexler?
Ms. Wexler. Well-meaning privacy statutes that try to
regulate commercial exploitation of information have a
disturbing trend.
They often include exceptions for law enforcement access
but no exceptions for criminal defense counsel access, meaning
an unintended side consequence of those privacy statutes is
that they increase disparities between investigations of guilt
and investigations of innocence.
It would be wonderful for the Committee if it's considering
those regulations to include parallel symmetrical exceptions or
no exceptions at all.
Thank you.
Mr. Bishop. So, Professor Wexler, just maybe to pursue
that, I sort of followed it. I never did any criminal law. Is
it conceivable that you would be--by imposing the restrictions
you describe on government that you would be unilaterally
empowering defense counsel or the defense against government
and creating a tilted playing field for criminal prosecution?
Ms. Wexler. There is a possibility that privacy statutes
could selectively prohibit law enforcement and not prohibit
criminal defense access.
The majority of privacy statutes do the opposite. They
selectively empower law enforcement investigations while
entirely or, largely, blocking criminal defense access.
So, an example is the Stored Communications Act. Section
2702 gives a broad bar on service providers disclosing
voluntarily the contents of stored communications.
Section 2703 has an exception for law enforcement. There's
no exception for criminal defense investigations.
Mr. Bishop. Professor, that's how--I appreciate it. I
didn't want to cut you off. I've got one more question I want
to squeeze in.
Does anybody here have any information on the FBI--the
current information on the FBI's purchase and use of the
Pegasus software that allows access to a cell phone without any
indication on the cell phone to collect information?
[No response.]
Mr. Bishop. Nobody is up to speed on that one. That one's
really spooky to me.
All right. Then in that case, Professor Wexler, I've sort
of cut you off. Did you finish your point?
Ms. Wexler. Well, one other thing I would add is that it is
also entirely within the power of Congress to enact privacy
statutes that create evidentiary privileges, meaning they would
entirely block both law enforcement and criminal defense access
and civil litigants.
Thank you.
Mr. Bishop. Thank you, and I yield back.
Chair Nadler. The gentleman yields back.
Ms. Dean?
Ms. Dean. Thank you, Mr. Chair, and I'll be quick. I have
to admit, this set of testimony is extremely chilling on this
hot day. So, thank you for bringing all this to light. Thank
you, Mr. Chair, of course.
Maybe I'll start with you, Professor Wexler.
Pre-Dobbs and now post-Dobbs, can you give me--describe the
risk and the reality of State or local or Federal law
enforcement or other agencies purchasing data to identify
people seeking healthcare choices, seeking abortion care?
Is there any tracking, for example, of women who are
tracking their own menstruation? I remember a hearing in here
under the previous administration where we had administrators
at ICE detention centers tracking menstruation of those young
women who were detained. Scary stuff.
What's the reality pre-Dobbs and post-Dobbs?
Ms. Wexler. Thank you for the question.
This data tracking means that people who are pregnant and
seeking access to medical care are extraordinarily vulnerable
to having their data sold to vigilantes as well as provided
voluntarily to law enforcement or obtained by law enforcement
across State lines, and one thing this Committee could spend
time considering that would be time well spent is enacting an
evidentiary privilege via statute.
So, Pierce County v. Guillen is a Supreme Court opinion
authored by Justice Thomas. It affirms that Federal statute 23
U.S.C. 407 creates a facially absolute evidentiary privilege in
both Federal and State court through statutory text that says,
quote, ``information protected under that statute,'' quote,
``shall not be subject to discovery or admitted into evidence
in a Federal or State court proceeding, or considered for other
purposes in any action.''
So, the data tracking that we're talking about makes
pregnant people who are seeking medical care extremely
vulnerable post-Dobbs and this Committee could do more than
enact privacy statutes that limit or regulate access.
Indeed, it has the power to enact evidentiary privileges
that would block Federal or State law enforcement from
accessing abortion-relevant data at all. That would be time
well spent.
Ms. Dean. Thank you very much.
All this conversation reminds me of the Watergate era
expression ``follow the money.''
So, Professor Lamdan, can you describe the kinds of money
that government is spending? Who's profiting from this? What
authorizes the government to spend millions of dollars to
collect our data? I'd like to find out about the money.
Ms. Lamdan. That's a really good question.
Yeah, millions and millions of dollars. ICE's contract with
one data broker alone, LexisNexis, has for $16.8 million and
Thomson Reuters, another data company, has over $30 million in
contracts with the same agency.
I'm not sure--they also have contracts with Palantir and
with other data analytics companies. So, cumulatively, across
agencies State, local, and Federal hundreds of millions of
dollars are being spent on these contracts and the
beneficiaries are these data broker companies, right. They're
the data companies themselves--these data technology and data
collecting companies.
Ms. Dean. Can you speak to them? Who are data brokers? Who
are these--
Ms. Lamdan. There's this niche industry. So, there are
commercial data brokers that sell data that track--to make ads
to track us and to advertise to us. These government data
brokers are much more insidious because, as Chair Goodlatte
said, ``they actually can break down our doors and violate our
rights, and the main companies that are involved in that work
are LexisNexis, Oracle, Thomson Reuters, Palantir.''
On State and local levels there's another kind of layer of
data companies. There's COPLINK. There's PredPol. There are all
these data collection companies and then analytics companies
that kind of crunch that data that are received and purchased.
Ms. Dean. Chair Goodlatte, in the last half a minute,
anything you want to add as to following the money?
Mr. Goodlatte. No, I think Ms. Lamdan has covered it very
well.
Ms. Dean. Thank you very much. I yield back.
Chair Nadler. The gentlelady yields back.
Votes have been called on the House floor. The Committee
will now stand in recess until immediately after the conclusion
of these votes.
The Committee is now in recess.
[Recess.]
Ms. Ross. [Presiding.] The House Judiciary Committee will
come to order. Mr. Buck is recognized.
Mr. Buck. I thank the Chair.
Chair Goodlatte, I have a few questions for you. The first
one is: Do you like action movies?
Mr. Goodlatte. I do.
Mr. Buck. I do also. I don't have a great memory on all the
movies, but I remember Bourne Ultimatum and how the U.S.
government used sort of a geolocation tracker to track people
without a warrant. Constitutional? Unconstitutional?
Mr. Goodlatte. I don't know if we have enough facts, but
probably at least partly unconstitutional.
Mr. Buck. Okay. There are other movies that have the
government looking at bank information without a warrant.
Constitutional? Unconstitutional?
Mr. Goodlatte. I would say unconstitutional.
Mr. Buck. They actually have some movies where they are
doing surveillance but they have these super cool things that
probably exist now; I have just never seen them, that you can
look inside someone's home and see what they are doing inside
the house, not just through an open window, but through a wall.
Maybe they go down the chimney from a satellite or some crazy
idea. Constitutional? Unconstitutional?
Mr. Goodlatte. I would have to defer to Eliza or somebody
else on that one because I've seen some court decisions on that
and I'm just not sure how the courts came down on it, but I--
Mr. Buck. Okay. Let me ask you this then--
Mr. Goodlatte. I would be a little suspect of it.
Mr. Buck. How about creepy?
Mr. Goodlatte. What's that?
Mr. Buck. How about creepy? Can we use creepy instead of
constitutional? It is kind of creepy to have people looking
through walls at what you are doing inside your house.
Mr. Goodlatte. Creepy for sure.
Mr. Buck. Okay. So, I guess what I am trying to get to is
government can't do those things directly and it shouldn't be
able to do those things indirectly. Chair Nadler has a bill to
that effect, and I want to support that legislation. What I am
concerned about is should corporations be able to do that, and
particularly a corporation like Google.
Should Google--when you sign up for a Gmail account, you
get this contract and on page 23 there are two sentences that
say you waive everything. Should the government, or should
Congress have some requirement that each time you are making a
waiver you have to enter into that agreement? You have a
choice: You can waive everything, you can waive it each time
you use it, or you can never waive it. Should there be
something out there that at least inhibits to a certain degree
the private companies from doing that which we find creepy?
Mr. Goodlatte. Congressman Buck, I would say that the more
opportunities that the consumer has to decide for themselves
whether or not they want to make certain information available
to Google or other companies and control how Google might
utilize that information, the better.
Mr. Buck. I love the fight that goes on sometimes between
Apple and Facebook and some of these other companies. I love it
when two giants are fighting over something. There are
occasions where Apple will assert certain privacy. I think they
have a business interest, frankly, in asserting that privacy,
but they will assert certain privacy on behalf of their
customers.
If we had 10 Googles, if we had a DuckDuckGo that was
prominent, would that help solve part of this problem? If we
had competition and there was a niche market for some consumers
like you and I who just find it creepy that these companies
know everything about us because we have the audacity to want
to know how to get from point A to point B, from our home to a
Christmas party at some coworker's that we have never been to
before and we use a GPS device to get there. Now, they know
everything and everywhere we have been. We just want to use
technology in a way that benefit us, and yet they have this
surveillance economy where they are creating this data profile
on us. Is there a benefit to competition in the marketplace
that could help deal with some of these issues?
Mr. Goodlatte. Again, I think the more choices the consumer
has in terms of how they can control or access their
information that if one competitor; and Apple does promote this
and DuckDuckGo does promote this, the more opportunities you
have to choose I'm going to use this search engine, I'm going
to use this operating system, I'm going to use this Gmail or
email account, I think the better off the consumer is.
Mr. Buck. In the last few seconds I have, how do we use the
antitrust laws to try to expand competition and create that
kind of opportunity for consumers?
Mr. Goodlatte. Well, I think that antitrust laws definitely
should be utilized to promote competition. Giving the consumer
more choices is a benefit of more competition and, so Congress
should always look it from that perspective.
Mr. Buck. Thank you very much and I yield back.
Ms. Ross. Okay. Mr. Raskin is recognized.
Mr. Raskin. Could Ms. Scanlon go before me? Can we switch?
Ms. Ross. Ms. Scanlon is recognized.
Ms. Scanlon. Thank you so much.
As more of our lives shift online, obviously robust digital
privacy protections become more and more important and the
immense cache of digital data that we each generate by carrying
one or two smartphones or whatever it becomes really
staggering. Obviously, legally we have to catch up some, and it
seems as though the Supreme Court's kind of narrow and
antiquated possibly interpretation of personal privacy rights
is not meeting this moment.
So, I had a couple questions. Ms. Goitein, is it? The
Fourth Amendment guards against unreasonable searches and
seizures and it has been interpreted by the Supreme Court in
Katz to include a reasonable expectation of privacy. Do you
think that Americans still have a reasonable expectation of
privacy in their online browsing and cellular phone use when we
hold that up against the Katz decision?
Ms. Goitein. They absolutely do have a reasonable
expectation of privacy. Whether the court will acknowledge that
they have that expectation and honor it is the question that I
think we're all asking.
As I mentioned in my opening remarks, the Supreme Court has
begun to catch up. The fact that the court recognized that
people have a reasonable expectation of privacy in their cell
phone location information, even though they quote, ``share''
unquote, that information voluntarily with the phone company,
is a major step forward, because it means that even when
information is stored by a third party--highly, highly
sensitive information--the court might still be willing to give
it protection.
Unfortunately, the court very explicitly limited its
holding in that case, Carpenter v. The United States, to the
facts of that case, to historical cell phone location
information collected by the police. It could be years before
the court looks at, say, web browsing history, or DNA, or,
communications metadata. Each kind of information, each
technique by which it's collected and stored, each kind of
company that stores it and shares it is going to be a different
use case, a different fact pattern that comes before the court,
and it's going to take years.
Americans' Fourth Amendment rights should not hang in the
balance during that period. That's why it's so important for
Congress to step in and fill that gap.
Mr. Scanlon. Yes, it is certainly something--you have
raised several issues. First, this idea that we voluntarily
turn over this data when it is voluntary. If you want to use
the service, you end up forfeiting a lot of this data.
So, what can we do? I mean we are in a situation where
there are any number of things. We would like Congress to pick
up the ball and enact legislation if we can get our Senate
colleagues to go along. What do you suggest we do?
Ms. Goitein. I think there's been broad bipartisan
consensus here today among the Witnesses and among the Members
that the Fourth Amendment Is Not For Sale Act is an important
measure and that it should be passed quickly. What that law
will do is close some of the gaps that technology has opened in
the Electronic Communications Privacy Act, and also the Foreign
Intelligence Surveillance Act. It will plug the gaps in
existing laws that are allowing the government to evade those
laws. That's something that can be done quickly and in a very
straightforward way.
At the same time, I think there's also been fairly broad
agreement that it would behoove Congress to undertake
comprehensive data privacy legislation. That's a big project,
but Congress should throw itself into that effort.
Mr. Scanlon. Thank you. Professor Wexler, we have heard a
lot of concerns raised recently with the abortion bans that are
going into effect in some States about how data could be used
to track women's travel or attempted access to reproductive
healthcare. Can you talk about how that relates to our
harassment today with respect to concerns about law enforcement
using data and how that compares to other criminal
prosecutions?
Ms. Wexler. Absolutely. Thank you for the question. It's a
real concern. There's been a lot of discussion about period
tracking apps and other reproductive health apps. Those do put
pregnant people seeking medical care at risk, but it's not only
those apps. It's location information. It's web search history
information. It's chat messages, text messages. Unencrypted
chat messages have already been used to charge one woman who
miscarried with feticide and another with murder.
So, the discussions the Committee is having now on data
privacy are all the more urgent post-Dobbs, but I would urge
the Committee not to stop at the Fourth Amendment Is Not For
Sale Act or at a privacy statute, but enact an evidentiary
privilege that would block Federal and State law enforcement
access as well as civil litigant access. Thank you.
Ms. Scanlon. Thank you. I yield back.
Ms. Ross. Mr. Chabot?
Mr. Chabot. Thank you very much. I want to thank the
Witnesses for sharing their insight today so that we can get a
better understand of the collection, use, and retention of
personal data, which is obviously a very, very important issue.
I would note that Chair Nadler and I worked together on
something called the Defense of Privacy Act back in the day
when I was actually Chair and he was Ranking Member of the
Constitution Subcommittee, and something that we worked on
pretty earnestly for quite some time. Back then our primary
concern was the potentially unconstitutional collection of
personally-identifiable information by government agencies.
Today, most people voluntarily surrender far more
information to private companies than the Federal government at
that time ever thought about collecting. That is what makes the
situation that we are discussing today so concerning to so many
Americans. The breadth and depth of information about nearly
every American held by private companies is breathtaking and
can easily be abused if adequate safeguards are not in place,
but domestic abuse of this information is not our only concern;
we face significant challenges from abroad as well.
In addition to serving on this distinguished Committee, I
also serve as Ranking Member of the House Foreign Affairs Asia
and Pacific Subcommittee, and on that Committee we strive to
counter the immense threat the People's Republic of China
poses, not only to Americans, but to the human rights of its
own people.
It is well known that the Chinese Communist Party uses a
vast surveillance network to track, analyze, and manipulate its
1.4 billion citizens. The CCP, the Chinese Communist Party,
sees information as power. Their dream is a database that fully
integrates everyone's movement, phone records, spending
history, interactions with friends, health records, social
media posts, and on and on into one giant web of surveillance.
We are not China. The Fourth Amendment protects against
warrantless searches and seizures. The Supreme Court has long
interpreted the Fourth Amendment to safeguard the privacy and
security of individuals against arbitrary invasions by
government officials.
Given the constant evolution of technology virtually
everything about an individual nowadays is online, whether you
intentionally put it there or not. Accordingly, Congress must
continue to exercise oversight to ensure the reasonable
expectation to privacy that is guaranteed under the Fourth
Amendment. We have to make sure it is not compromised by law
enforcement, by practicing purchasing bulk data information
without a warrant, or by foreign actors who would steal the
same information for their own nefarious purposes.
So, now I will get around to a question. Chair Goodlatte,
let me ask you this: How should policy makers balance the
competing interests of the government's ability to prevent
crime and the civil liberty interests to the American citizen?
I would preface my question by noting that I know versions
of that have probably been asked. I was actually in a Foreign
Affairs Committee up to this point and so I apologize if you
have already been asked that.
Mr. Goodlatte. I don't think it's been framed quite that
way, and that's a very good question. It's obviously very
important for law enforcement to have the tools they need to
prevent crimes, to solve crimes that have already been
committed, and to effectively prosecute the individuals who
perpetrate those crimes.
I would argue that just in the last maybe two decades the--
it has gotten out of balance because the nature in which people
store their data has changed so dramatically. Information that
you didn't have stored, didn't have in writing anywhere at all
in the past now is stored about every aspect of your life, and
it's stored by a third party. So, the old adage that if you
don't hold it yourself, you're not subject to a warrant if a
third party holds it, they can get it without a warrant, that's
got to be reviewed.
The Supreme Court has recognized that in the Carpenter
decision, in the Riley decision with regard to cell phones,
with regard to geolocation information. So, I think it's
important that the Congress recognize that if we wait for the
courts to step up and not address the underlying doctrine
itself and say that given the amount of information that is
stored today that a new standard has to be set. That's what
this bill attempts to do in terms of the information that can
be garnered by law enforcement without having to get a warrant,
without having to show probable cause that they need it.
So, I think you can achieve that balance. I think law
enforcement can be effective, but I think they do need to
operate under new rules given the unbelievable amount of
information that they can simply walk around the Fourth
Amendment and buy now instead of having to comply with
traditional doctrine.
Mr. Chabot. Thank you very much. My time is expired
actually, I think.
Ms. Ross. Yes, thank you. Mr. Raskin is recognized.
Mr. Raskin. Thank you, Madam Chair.
Seems to me that most people believe as an abstract
proposition that people have a privacy right, if not a property
right in their own digital communications, their own digital
history, although I don't know we have established that
anywhere, and that might be something we really need to talk
about.
The problem is that when you get to a specific criminal
investigation or a civil investigation and people know that
there is a record out there relating to it, I think if you
polled people at that point people would say well, if there is
a record, then the record should be made available.
So, I guess I'm asking what do we do about that basic
problem? It seems like technology has a kind of momentum of its
own and once the facts and the data exist, there is a sense
that, well, the government should have access to it.
So, Professor Wexler, let me ask you about that.
Ms. Wexler. Thank you for the question. Evidentiary
privileges exist: The attorney-client privilege, the spousal
communications, the priest-penitent privilege. There is also a
slew of statutory evidentiary privileges that Congress has
enacted. Those shield existing data from law enforcement and
civil litigants. They block warrants, they block subpoenas,
they block discovery orders, they protect against wiretapping.
If law enforcement accidentally over-seizes a privileged
communication, they have to use a taint team to purge that
content before delivering it to a prosecution team. So,
privileges are more powerful than torts, than contracts, than
fiduciary duties, and they are even more powerful than the
Fourth Amendment. They exist for a good reason, and they could
exist for abortion-relevant data. Thank you.
Mr. Raskin. So, but what is the privacy privilege you are
positing there, or you are arguing for?
Ms. Wexler. Any abortion-relevant data could be covered.
Now, this is the specifics of this would be something that the
Committee would have to look into. I'd be happy to help however
I can. It's certainly within the power of this Committee to
identify especially sensitive data and protect it with a
statutory evidentiary privilege.
Mr. Raskin. Okay. So, Professor Wexler seems to be positing
a specific policy cutout for an evidentiary privilege related
to abortion-related travel or speech or so on, but we are also
talking about the more general problem, right?
Professor Goitein, let me come to you. The legislation I
understand we are talking about is to prevent the government
from purchasing information from data companies that it cannot
otherwise obtain directly. Is that right?
Ms. Goitein. That is right. It would not prevent the
government from obtaining that record if it could meet the
legal standard that would otherwise apply. So, if the
government can either get a subpoena or a court order or a
warrant under the applicable legal standard, it will have
access to that record. That gets to both your hypothetical
about people wanting their data to be private, but also, if
there's a record in existence, wanting the police to have
access if it will help with solving criminal activity.
Mr. Raskin. At least access through some kind of legal
mechanism.
Ms. Goitein. Exactly. That also gets to Congressman
Chabot's question. This is all about the balance between
privacy and law enforcement, the legitimate needs of law
enforcement, and that balance was established by the framers in
the Fourth Amendment. Americans have privacy rights. Those
rights can be overcome if the government can show probable
cause to a neutral magistrate.
Mr. Raskin. So, this is essentially the meta-technological
equivalent of saying that if the government can't enter your
home without a search warrant, they can't pay somebody who goes
into your--who breaks into your home or otherwise gains access
through some kind of duplicity saying that they are a carpenter
or a plumber or whatever, right?
Ms. Goitein. That's an excellent analogy.
Mr. Raskin. Yes. So, how big a problem is this? In other
words, has it become a habit of government to be able to
purchase data from companies to essentially execute warrants or
obtain evidence they would not otherwise be able to get?
Ms. Goitein. It certainly seems that way. I will say again,
I can't stress enough, that the government has been completely
non-transparent about this practice. So, what we know, we know
from investigative reporting, from non-governmental
organizations that have done their own investigations, from
lawmakers who have asked probing questions. From that, we get
pieces of a puzzle, and those pieces leave no doubt that this
is a widespread practice now among many Federal agencies, and
State and local agencies as well.
Mr. Raskin. Well, I thank you for that.
Madam Chair, this sounds like very sensible legislation to
me, and I will yield back to you.
Ms. Ross. Thank you. Mr. McClintock is recognized.
Mr. McClintock. Thank you.
Mr. Goodlatte, there seemed to be two principles here. One
is I feel very strongly about the Fourth Amendment's
protections, and it seems to be very crystal clear. We have a
right to be secure in our papers, those things that we either
write down or say privately. In my view that would include
metadata about those records. I would even go a step farther
and say whether your papers or effects are stored at your home
or are entrusted to some third party for storage, they are
still private and they would require a warrant to search them
under the Fourth.
However, a person can waive these rights in a contractual
agreement with another party if they wish to. If a person
agrees to terms of service that allow disclosure of aspects of
their private papers, seems to me they have that freedom. If
they don't like the privacy provisions that accompany offers,
they don't have to agree to it. They can choose a competitor or
do without. I am old enough to remember when we did without all
this digital technology. I don't for the life of me remember
how we did without it, but we seemed to do so very nicely.
So, my point is why should we interfere with the right of
two parties to agree to terms of service? What is wrong with
that.
Mr. Goodlatte. Well, that's a separate issue from the core
issue in the Fourth Amendment Is Not For Sale Act. I do think
that it would be good for the Congress to look at that
underlying issue that you refer to. Considering the fact that
I'm not the most prolific user of the internet, but I counted
yesterday. On my phone I have 160 apps. Most of those apps are
gathering information about me and storing it. I don't--
Mr. McClintock. Well, and by the way, I would assume a lot
of those apps sell that information. That is how they make the
money--
Mr. Goodlatte. Right.
Mr. McClintock. --to pay for the app and to provide you
with that service.
Mr. Goodlatte. Correct.
Mr. McClintock. So, if they can't sell that information--
Mr. Goodlatte. Correct. But they--
Mr. McClintock. --wouldn't they have to charge me for the
service they are now providing me for free, and how does that
help me as a consumer?
Mr. Goodlatte. Well, first, I think that the important
thing there is that the consumer understands and has that
choice.
Mr. McClintock. Right.
Mr. Goodlatte. That's a different issue than what's before
us today.
Mr. McClintock. Well, that is what it means to be a
grownup. You have to read it and stand by your agreements.
Mr. Goodlatte. Right. The Fourth Amendment does not apply
to that transaction. The Fourth Amendment applies if the
government wants to buy--
Mr. McClintock. Because I have essentially waived--I have
waived my right under the terms of privacy that I have agreed
to exchange for the service they are providing me.
Mr. Goodlatte. Correct. Did you waive your Fourth Amendment
right to not have the government, which would otherwise be
required to have a warrant or a subpoena or some other court
order, to get that information just because you had a
transaction with a company that got your information--
Mr. McClintock. I have told the other party in that
contract it is okay for you to sell certain information. You
are bound by the terms of that contract. You can't sell
information beyond that, but I have agreed to allow you to do
that in exchange for the service that you are providing me.
Mr. Goodlatte. I think that would--I think that's--
Mr. McClintock. Why would we interfere with that is--
Mr. Goodlatte. I think you're interfering with it because
the government has that power that other entities might buy
that information do not have.
Mr. McClintock. Which is why we have a Constitution to
restrain it, but that Constitution guarantees me not only my
Fourth Amendment privileges against the government to come
snooping into my affairs, but it also gives me the freedom to
enter into contracts with others that we find mutually
beneficial. I may find it mutually beneficial to get this free
service in exchange for selling certain of that data. That is
an informed consent that I have a right to as a consumer.
Mr. Goodlatte. Right, but the sale of the information to
the government puts the government in the picture as well and
the Fourth Amendment is directed at the government not
obtaining information without showing probable cause, without
providing a warrant.
Mr. McClintock. Let me ask you one other question on
location data. It doesn't seem to me that this falls within the
papers and effects definition. If someone observes your
movements in public, that isn't a search or seizure. I observe
you right here before me. Whether I make that observation once
or 100 times a day doesn't really matter. How does location
data fall within the Fourth Amendment?
Mr. Goodlatte. Well, I'd have to go back to look at the
Carpenter decision to interpret exactly how the court did that,
but the court has held that, and courts have held that, under
certain circumstances that information is protected.
Mr. McClintock. Thanks. I yield back.
Mr. Raskin. Would the gentleman yield for a question, or a
point? Because I think you make a good point that maybe it is
not unconstitutional, maybe it doesn't violate the Fourth
Amendment for the government to go to one of the big companies
and say we are going to purchase this data, but the question
for us is the policy question: As citizens do we want our
government engaged in the business of purchasing--
Mr. McClintock. I understand that, but the flip side of
that is, do we want our government interfering with our right
to contract with providers for services that we may find
appealing under the terms of that agreement? If they are
providing--again, the alternative is if they are making money
right now selling this data that I told them they can sell, but
they are not allowed to do that anymore because we have stepped
in, they are going to have to charge me.
Mr. Raskin. Well, they can still do it--
Mr. McClintock. They are going to have to charge the
consumer for that service and I am not sure that is in my
interest as a consumer.
Mr. Raskin. They can still sell it to the rest of the
world, but what we are saying is as citizens we don't want our
government circumventing Fourth Amendment restrictions by being
in that market.
Ms. Ross. Gentlemen, your time has expired.
Mr. Swalwell is recognized.
Mr. Swalwell. Thank you. I want to focus on what access to
locational data and personal data means with respect to living
in a post-Dobbs world where a woman's right to reproductive
freedom is now being infringed upon and we are seeing State
efforts to try and track down patients who are crossing State
lines to seek abortion services. The Attorney General of
Indiana is investigating a doctor who performed a termination
of pregnancy on a 10-year-old who had to leave Ohio after she
was raped to go seek this service in Indiana.
So, I have a lot of concerns about what this could mean in
the future. I want to begin with the Republicans in the
minority have promised that if they were to achieve the
majority, if they were to win the House in November, that they
are going to use broad subpoena powers in their new majority.
So, my first question is for Professor Wexler. Professor
Wexler, if Jim Jordan as Chair of the Judiciary Committee
wanted to seek a patient's records or a patient's travels under
locational data that is available, would he be able to do this
with the amount of data that is out there?
Ms. Wexler. Absolutely. The existing data would be
vulnerable to such a subpoena. There is a wealth of data to
track pregnant people's actions seeking medical care. However,
if this Committee enacted an evidentiary privilege, that would
also have the power to block a Congressional Subpoena.
Mr. Swalwell. If Chair Jordan in a Republican majority
wanted to go after doctors who perform abortion services or
doctors who are in communication with patients, is there enough
data out there that under the law today he would be able to do
that?
Ms. Wexler. Yes, there is.
Mr. Swalwell. If Chair Jordan in a Republican majority
wanted to go after abortion service providers to understand who
they are communicating with, would he be able to subpoena this
type of data?
Ms. Wexler. Yes, he would. Existing privacy statutes like
HIPAA would not prevent that even though they apply to
traditional medical service providers because they have
exceptions for law enforcement access, and that would apply for
Congress. I'm also certainly--I'm almost certain. I could
double-check that and provide confirmation for the record.
Mr. Swalwell. In a Republican majority would Chair Jordan
be able to subpoena companies who provide travel reimbursements
or travel to employees who have to leave their State to go to a
State that can provide abortion services?
Ms. Wexler. Yes.
Mr. Swalwell. Crisis pregnancy centers which continue to
skyrocket as States across the country ban abortion are faith-
based groups that often misrepresent themselves as reproductive
health clinics. Their mission is to dissuade pregnant women
from having abortions at any cost. A recent Time Magazine
investigation shined a light on how far these centers will go
to harm women who are seeking essential health services.
In fact, the Time study found that these centers collect
substantial sensitive data on women who come to them for help
including addresses, marital status, demographic information,
sexual and reproductive histories, test results, ultrasound
photos, and information shared during consultations.
Because crisis pregnancy centers are not licensed medical
clinics and offer their services for free, they are not legally
bound by Federal health data privacy law. Furthermore, these
clinics often do not employ privacy notices which prohibit data
obtained from being sold to the highest bidder.
Professor Wexler, can you explain how crisis pregnancy
centers would be able to weaponize data against women who are
merely seeking additional resources when they aren't able to
obtain an abortion in their State?
Ms. Wexler. Well, any private entity who obtains data that
would identify people who are seeking abortions could
voluntarily hand that information to law enforcement who could
use it for antiabortion prosecutions, or under some State
statutes they could sue as civil plaintiffs as well.
Mr. Swalwell. So, you are telling me that a woman who is
making the very personal decision about whether or not she
wants to have a pregnancy and have a baby could go to a
pregnancy center, consult with the employees at the pregnancy
center, and that they would be able to obtain data under the
law as it exists today and turn it over perhaps as a bounty as
you would be able to do in Texas, if they believed that she was
going to have an abortion?
Ms. Wexler. That's correct.
Mr. Swalwell. I yield back.
Ms. Ross. Mr. Tiffany is recognized.
Mr. Tiffany. Thank you, Madam Chair. I am assuming the
gentleman from California wasn't referring to the bounties that
have been put on Supreme Court Justices.
Mr. Swalwell. Would the gentleman yield?
Mr. Tiffany. We heard the conjecture that was going on--
Mr. Swalwell. Would the gentleman yield?
Mr. Tiffany. No, I will not.
Mr. Swalwell. Well, you asked me a question.
Mr. Tiffany. No, not a chance.
Mr. Swalwell. I wasn't referring to that and I condemn all
violence. Why don't you do the same?
Mr. Tiffany. May I have my time back?
Mr. Swalwell. You do the same.
Mr. Tiffany. May I have my time back?
Mr. Swalwell. You condemn violence; I will do it, too.
Mr. Tiffany. May I have my time back? The gentleman that
was referred to in the previous question, Representative
Jordan, he actually spoke favorably earlier in this Committee.
I think we all heard that. He spoke favorably towards this
bill. To do all this conjecture is just to scare people and it
is really unfortunate.
Ms. Goitein, you heard the exchange with Representative
McClintock earlier, and would you like to comment on what you
heard there and are there protections in place that should be?
Ms. Goitein. Sure. The notion that when a person accepts
the terms and conditions of an app, that this is an equal
negotiation between parties in which voluntary choices are made
and everybody leaves with what they wanted out the transaction,
belies the reality of these situations, where first, the
consent is not truly informed consent. If you look at these
privacy policies, these terms and conditions, apps will often
say that they will not disclose your data to the government and
that they will not disclose your personal data at all, but they
will not tell you that they are going to disclose your data in
aggregate or in an anonymized fashion to other entities that
may very well disclose it to the government.
I have yet to see a privacy policy that actually says,
We're going to give your data to third parties and those third
parties can do whatever they want with it and even though we
have de-anonymized it, you can be identified. It can be traced
back to you. I haven't seen that policy. I don't know how many
people would readily consent to it.
That brings me to the second point, which is whether there
is actually truly a choice here to consent, because this is the
business model, certainly for free apps. If you are not paying
for the product, you are the product. If you decide that you
don't want any of these companies to share your data, you are
effectively saying that you're not going to use apps, which is
another way of saying you're not going to participate in the
conveniences of modern society.
The Supreme Court in Carpenter was very clear that the
Fourth Amendment does not require people to choose between
their Fourth Amendment rights and participating in modern
society. So, I think the analogy just doesn't hold up.
Mr. Tiffany. So, are you somewhat saying that there are
different forms that they deliver this message, or these
messages, or your information to the government? Is that
accurate?
Ms. Goitein. That's certainly accurate, yes.
Mr. Tiffany. Okay. Earlier we had some allusion to ICE and,
Ms. Lamdan, I'd like to address a question to you. We were
talking about limitations of using data and what this bill is
all about. When it comes to protecting our border, including we
have had the greatest number of known terrorists that have
crossed our border, should all these limitations that we are
talking about here today--should they all be in place for
people that want to come illegally into our country?
Ms. Lamdan. Everybody whose data is being used by law
enforcement should have transparency and notice around that. I
think that just applies to all humans who make these, as Liza
pointed out, not really illusory agreements, right? We're all
agreeing. We're all volunteering to give our data over, but
it's to move about with our phones or just do the basic things
of life. I think that there's a balance between not letting law
enforcement use the data at all, which is not what we're
advocating for, but between giving people notice and
transparency that, hey, your data will be used in this way.
Mr. Tiffany. So, the Biden Administration is giving out
phones that are probably tracking people coming into the
country illegally or organizations like the organization for
immigration--international organization. Should they be able to
use that data with those tracker phones that are coming in?
Ms. Lamdan. Law enforcement should be able to do the work
of law enforcement as long as warrant requirements and due
process is given. So, as long as there's notice and probable
cause.
Mr. Tiffany. One more question.
Thank you very much. Representative Sensenbrenner was the
Chair of this Committee. Mr. Goodlatte, you served with him. He
wrote an article six months ago. It was ``The PATRIOT Act
Wasn't Meant to Target Parents.'' Where did the PATRIOT Act go
off track?
Mr. Goodlatte. Well, I think the PATRIOT Act went off track
in not defining some of the areas that set parameters around
government gathering data. So, that's why we have the USA
FREEDOM Act that followed on. It was intended to cover the
government's acquisition of mass data from telecommunications
companies, but it was also intended to be a broader ban on
government gathering mass data.
Now, I think that should cover some of the problems that
we're experiencing today, but lawyers for the government have
gone right around that and said well, as long as we're buying,
we don't have to comply with the law or the Fourth Amendment.
Mr. Tiffany. I wish I could pose a lot more questions, but
I will yield back.
Ms. Ross. Okay. Ms. Jackson Lee, you are recognized.
Ms. Jackson Lee. I thank the Chair very much. I thank the
Witnesses. I thank Chair Nadler, Ranking Member, for holding
this hearing. We, the Judiciary Committee, are being definitely
tasked in our responsibility, so I am grateful to have this
opportunity.
It is good to see Chair Goodlatte. We worked together on a
number of these initiatives, including the Patriot Act, where
the Judiciary Committee had to save America from violations
that would have undermined their right to privacy and their
rights under the Fourth Amendment without jeopardizing our
national security.
Let me pose this example: In 2018, Mississippi mother
Latice Fisher was charged with second degree murder and held
for several weeks on $100,000 bond after experiencing a
stillbirth. Evidence used in her indictment included online
search history taken from her cell phone that showed search
terms related to inducing miscarriage and medication abortion.
Then, in 2019, prosecutors in Ohio used a teen's online
search on how to get rid of a baby as evidence that she killed
her newborn in a murder case where the teen was ultimately
acquitted. We want justice. We want justice in a fair way.
Professor Wexler, can you speak to how broad the use of
data and invasion of privacy can be in the name of law
enforcement and law enforcement's responsibility and
responsibilities that criminal courts would think that they
would have?
Ms. Wexler. Absolutely. So, data can be abused at all
stages of the pipeline and it is essential to have some privacy
regulations that restrict law enforcement access, but even
restricted access, even probable cause warrants will not
protect pregnant people seeking medical care from antiabortion
prosecutions. To do that this Committee would need to enact an
evidentiary privilege which would be stronger than existing
privacy or confidentiality statutes. It would be stronger even
than the Fourth Amendment. It would preclude the use of
abortion-relevant data in investigations or in trials.
Ms. Jackson Lee. I think that if I can pursue this with
you, I would not have ever imagined ourselves to be in this
predicament. One, Roe v. Wade being obliterated by the court,
50 years of precedent. Then in a new world of technology where
data is everywhere. Would you comment on the data brokerage
firms and how they gather this information in the sense that it
can be every aspect of your life?
Ms. Wexler. So, this is a really important question. Thank
you for the question. I actually think that other Witnesses may
be better able to speak as fact Witnesses to the data brokerage
firms, so I want to yield my--if possible, to another Witness
to answer that question.
Ms. Jackson Lee. Ms. Lamdan?
Ms. Lamdan. Yes, I'm happy to answer that question. So,
you're absolutely correct that these data brokering firms get
data from thousands of sources and they don't reveal--there's
no transparency around what these sources are. So, they could
easily have all the data that you're concerned about and then
they engage in licensing contracts with State, local, Federal
law enforcement, and other agencies. The agencies can use that
data however they'd like. There's no oversight or supervision
about how the agencies are using these data, these data
products.
Ms. Jackson Lee. Chair Goodlatte, I have a moment. What
should Congress be doing? This is so vast. It is how should I
say, it continues to metamorph into new technology. What should
Congress be doing?
Mr. Goodlatte. Well, I think a great first step would be to
pass the Fourth Amendment's Not For Sale Act that's been
introduced by Chair Nadler. We've heard from Members on both
sides of the aisle today who've given it good reviews. So,
there may be some additional work there. I know some Members
have some amendments they'd like to offer, but perhaps the
Committee could work in a bipartisan way to finalize that
legislation and pass it out of the Committee. Then there would
be a lot of people on the outside--certainly my organization,
the Project for Privacy and Surveillance Accountability would
be very committed to working to get that legislation passed
through the Congress.
Ms. Jackson Lee. Thank you so very much, Madam Chair. Thank
you to the Witnesses. I yield back.
Mr. Stanton. [Presiding.] Thank you. Mr. Bentz, you are
next.
Mr. Bentz. Thank you, Mr. Chair.
Director Goitein, it has been suggested by a number of
different people and commentators and others that if
appropriate data had been gathered and appropriate algorithms
applied the tragic situation in Uvalde could have been avoided.
Ms. Goitein. Sorry, which tragic--
Mr. Bentz. The tragic situation in Uvalde, Texas could have
been avoided. So, how would you respond to someone who suggests
that data be used in this fashion?
Ms. Goitein. It's always easy to say that in retrospect.
It's always easy to say oh, if we went back and looked at that
person's social media posts, we would have known. The reality
is that the number of people who post on social media the kinds
of things that some of the people who do engage in violent acts
post is astronomically larger than the number of people who
actually take violent action. It is notoriously difficult to
predict who is going to engage in violence. So, while it's
tempting to say that if we could go back and get access to this
person's social media feed or to their data, we would find the
silver bullet that would tell us that this person was going to
do what they did--that's very, very tempting--it's not the
reality.
Mr. Bentz. Thank you.
Ms. Goitein. Yes.
Mr. Bentz. Chair Goodlatte, first thank you for coming to
my office and sharing with me your thoughts regarding some of
the challenges we face on this Committee. I deeply appreciate
the time you took.
So, at what point does the gathering of data by private
companies become violative of civil law? In other words, it has
often occurred to me if everyone knew exactly how our data was
manipulated, molded, folded, and utilized, we wouldn't be happy
about it. I have often thought back to law school days and
thought about civil claims such as fraud and the inducement in
that thing. So, are there any grounds do you think for a
private party to become a plaintiff in a civil law suit based
upon inappropriate use gathering and then directing of a data?
Mr. Goodlatte. It's a really interesting question. I think
that without more of a legal structure to put constraints on
the gathering of the information unless they gathered it
through some kind of subterfuge, they actually broke into a
computer system and stole the information, they may not face
the kind of liability that you and I might think there might be
some grounds for.
I really think that this technology has gotten so far out
ahead of society in general, and the Congress in particular,
that it's time for the Congress to look at this broader issue,
not just the issue that's before the Committee today with
regard to government buying the data, but the broader issue and
what kind of liability should arise from that. I think that's
about all I could offer at this point.
Mr. Bentz. Thank you. The second question back to Director
Goitein, and it has to do with the sweeping up of massive
amounts of data. Then the assertion that's been made by several
of you over the last couple of hours has been that all will be
well if we simply go get a warrant for probable cause. Yet, the
grounds upon which that warrant would issue are dramatically
different than what they were back when I used to do very badly
criminal law defense work.
So, how can anybody say the old standard of probable cause
makes any sense whatsoever when the data in front of them is so
massive and so different shall we say than that which we used
to present when anticipating a criminal action?
Ms. Goitein. Well, first, I would say that a number of the
different categories of data that we're talking about actually
would not require a warrant. They might require a subpoena, or
they might require what's called a D order under the Electronic
Communications Privacy Act. Not all information is Fourth
Amendment protected information that requires a warrant.
Geolocation information is one of the main commodities that's
being purchased. That should be protected by a warrant.
In terms of how the warrant requirement has evolved I think
that's probably a better question for Professor Wexler. I'm
sorry to say I don't know enough about that.
Mr. Bentz. Let's hop to her very quickly. Professor Wexler,
what do you think?
Ms. Wexler. Thank you. Well one thing that's changed is
that when law enforcement collects data, it doesn't necessarily
know flaws in the collection method. So, hacking was brought
up. If hacking was engaged in by a private entity and then that
information was laundered through a series of data brokers,
even if law enforcement obtained a warrant at the end to
purchase it downstream, they might not get access to that
extremely important exculpatory information that the defense
would need to know.
So, one thing the Committee might consider is adding
additional requirements in these contexts beyond probable cause
to identify and gain possession of exculpatory or impeachment
material that law enforcement, otherwise wouldn't obtain and
that's essential to protect defendants' Brady and statutory
discovery rights.
Mr. Bentz. Thank you. Mr. Chair, I yield back.
Mr. Stanton. Thank you very much. Ms. Jayapal is
recognized.
Ms. Jayapal. Thank you, Mr. Chair. It is good to see you,
Chair Goodlatte.
I wanted to focus my comments on another part of sensitive
data, which is face recognition technology. This is also an
area where we have had a lot of bipartisan interest. There is a
lot of sensitive personal information that is requested
constantly from law enforcement from both commercial brokers
and State government to surveil the public with face
recognition technology. Face recognition technology is up to
100 times more likely to misidentify people of color. There are
very few guardrails in place to regulate the use.
The unregulated application of this technology to our most
sensitive information, our faces, is precisely why I introduced
the Facial Recognition and Biometric Technology Moratorium Act,
which presses a pause. It doesn't say never, but it presses a
pause on unregulated government use of face recognition and
biometric monitoring.
This past year, the IRS planned to contract with ID.me,
requiring anyone accessing their tax records online to upload
images of their photo IDs and a live video of their face with a
computer or a smartphone. While the IRS ultimately abandoned
this plan, ID.me still has contracts with 10 Federal agencies
and 30 States. In fact, there is an entire market of commercial
platforms that collect sensitive data from users to sell to the
government.
Because I want anybody who is watching this hearing to
understand what pieces of data, I am going to direct some
questions at you, Professor Lamdan. You can just answer yes or
no, in terms of whether this information is available to the
government.
So, the LexisNexis Digital Identity Network collects and
processes people's online log-ins, payments, and new account
applications. Is that information available to the government?
Ms. Lamdan. Yes.
Ms. Jayapal. Babel Street collects digital device location
data derived from online advertisers and popular mobile apps.
Is that information available to the government?
Ms. Lamdan. Yes.
Ms. Jayapal. Clearview AI uses facial recognition
technology to harvest and store millions of photos from social
media users across multiple platforms. Is that information
available to the government?
Ms. Lamdan. Yes.
Ms. Jayapal. So, these are just examples of the many ways
in which, if you are just using the internet, you are using
programs, your information is accessible.
Now, the Federal government also uses face recognition
technology to analyze State-level data. Since 2015, U.S.
Immigration and Customs Enforcement has performed face
recognition scans of driver's license databases in at least 14
States. Up until the discovery of this practice in 2018, this
included my home State of Washington.
Professor Wexler, are immigrants the only people whose
licenses are being process here, or does it go way beyond that?
What Fourth Amendment--let me just add to that--what Fourth
Amendment implications does this have for every person in the
country?
Ms. Wexler. It goes way beyond this. Everybody's
information is being collected and their faces are being
included in DMV and other databases. So, this is an issue that
affects all of us.
Ms. Jayapal. Driver's licenses, when you think about it, we
use it for everything--I mean, literally, everything.
So, Professor Lamdan, just stay with ICE for a minute. How
does ICE's use of facial recognition technology on State
driver's licenses impact people's lives, and are there impacts
on public safety or health?
Ms. Lamdan. Yes. So, that is why I think the title of
today's hearing is dragnet, right? They don't just pick out
particular driver's licenses. They sift all our driver's
licenses and all our data through these systems, these
predictive policing systems, predictive analytic systems, and
especially in the case of like driver's licenses and car
tracking.
There have been fatal car chases. There have been all sorts
of incidents where people's lives have been put at risk due to
kind of this data tracking and people's use of data--or I'm
sorry--ICE's use of data.
Ms. Jayapal. So, it is really not that ICE is just focusing
on immigrants. As they go through, they are going to take the
entire scope of driver's licenses that are there and analyze
anybody's?
Ms. Lamdan. Yes. Exactly. They are going to sift
everybody's data through their system, and they have access to
everybody's data. As you said, these systems tend to
discriminate and have biases, and have just kind of errors in
them that tend to target certain types of--like you said about
facial recognition, it tends to disproportionately misidentify
people of color. So, yes.
Ms. Jayapal. Thank you. I think it is important for people
to understand--and I am glad for this hearing because the
Federal government has built out a very invasive and
unregulated surveillance infrastructure through the use of
these technologies, including face recognition technology.
I had a question for you, Chair Goodlatte, but I am out of
time. So, I thank you again for being here.
I yield back.
Mr. Stanton. Thank you. Mr. Owens?
Mr. Owens. Thank you, Mr. Chair, Ranking Member, and
Witnesses, for holding this very important hearing today.
First, let me just start off by saying that I applaud this
bipartisan approach that this Committee has taken in terms
access to our personal data, and I look forward to supporting
this legislation.
I also want to thank my friend, Brett Tolman, for his
participation as a Witness. Mr. Tolman has a long and
distinguished career and service in my State of Utah, where he
is a U.S. Attorney. He has since been an innovative and fair
voice in criminal justice reform, among other important issues.
Mr. Tolman, Ranking Member Jordan earlier discussed a
little about tracking of citizens for political reasons. I want
to leave the remainder of my time for any thoughts you might
have on that or anything else that you might want to add to
this conversation.
Mr. Tolman. Thank you, Representative Owens. It is great to
see you again and to be among discussions of such an important
topic.
I would say that the recognition that it goes both ways,
that power can be abused, no matter the political affiliation,
is very important. We have heard a lot of discussion about what
could be done for those that may be seeking an abortion in some
of the States, but it is equally as frightening to hear about
the potential use, based on someone's vaccination status, for
example, whether they believe in natural immunity. A lot of the
medical and health issues that we have discussed and seen over
the last two years with COVID have really brought to the
forefront the ability of the government to justify its use,
depending on the circumstances that it is currently enduring.
I believe that this can go back and forth, depending on the
political power that is currently in Washington, DC, or in our
State capitals, or across even our local and State
jurisdictions. We have seen that, when the Department of
Justice identifies a cross-section of individuals it is
concerned about, you hear language frequently suggesting that
they are a domestic threat, for example, or they may pose a
domestic threat. This is language that allows them to broaden
their capabilities and use surveillance to that end. It should
be frightening, and I am encouraged that the Congress is taking
these issues up.
Mr. Owens. Thank you so much, again, for your service.
I yield back.
Mr. Stanton. Thank you. Now, more than ever, the private
details of Americans' lives are for sale. As a consequence of
our connectivity, technology companies, smartphone apps, and
data brokers scoop up our sensitive data, ranging from our
internet searches to our home addresses, to our cell phone
locations, and neatly package them to sell in the marketplace
to other citizens, to foreign actors, and to the United States
Government. While brokers claim the data they sell is
anonymous, these companies maintain databases so large and
aggregate so much personal information that we all may be re-
identified by savvy purchasers of that data.
What is more, that data collection has been utilized by law
enforcement to modernize investigative tactics, relying on
warrants obtained through geofencing, keyword searches, and
cell site location information. While these tactics have aided
law enforcement in many cases, abuse of these warrants and
authorities have led to numerous civil rights violations,
particularly of the Fourth Amendment's protections.
For instance, in my home State of Arizona, a man was
wrongfully arrested, interrogated, and imprisoned, and accused
of murder, all because his Google location data indicated that
he had been in the vicinity of a shooting. As The New York
Times put it, such location data, quote, ``can help solve
crimes, but it can also snare innocent people,'' unquote, as it
did in this particular case.
It is not just law enforcement's ability to access this
data that causes me alarm. In our post-Roe world, in the wake
of several States proposing or enacting bounty-style laws which
reward vigilantes for reporting their neighbors and community
Members to police, I have grown increasingly concerned about
the safety of those seeking medical care or even just medical
information about reproductive health.
In fact, I joined many of my House colleagues in calling on
the FTC to use its full authority to ensure that data brokers
are protecting users' privacy and to strongly enforce privacy
standards against data brokers who break the best practices,
including by prosecuting their illegal actions.
It is clear that this issue is not going away, and Congress
must take action to legislate on privacy.
Professor Wexler, in the Arizona case I described, a man
was publicly and falsely accused of murder based upon his
Google location data. How do geofence warrants create
situations for mis-
identification and wrongful arrest?
Ms. Wexler. So, it is a really important question. I am
actually not an expert on the Fourth Amendment. My research
focuses on criminal defendants' access to data. So, I think
another Witness maybe would be better to speak on geofence
location warrants.
Mr. Stanton. Thank you. Any other Witness who would like to
speak on the issue of geofencing? Please.
Ms. Goitein. I would be happy to speak. Geofence warrants
are when the government goes to Google with a warrant and
requests the information for all the cell phones within a
particular geographic location for a particular time period.
The government can then look for suspicious patterns of
movement and use that to try to figure out who committed
whatever crime they are investigating. Google received more
than 11,000 of these warrants in 2020 alone.
Even though the government has a warrant, there is a major
Fourth Amendment problem with these warrants. The Fourth
Amendment has something called a particularity requirement,
which, roughly, means the government has to show probable cause
that searching a particular place, a particular home, or a
particular device will yield evidence of a crime.
Usually, the way that works is that the government has a
suspect, they can show probable cause that they committed the
crime, and they therefore have a justification for searching
that person's home or device, or what have you.
Geolocation warrants work in reverse. They allow the
government to obtain the Fourth Amendment protected information
of dozens, hundreds, maybe even thousands of people, even
before the government has a suspect. It is the equivalent of
searching every home in the neighborhood of a crime to figure
out who committed it. As you can imagine, if you are just
looking for suspicious movements, and then deciding that this
means that somebody is your suspect, that is going to result in
a fair number of false flags.
Mr. Stanton. Let me ask a follow-up question. Could a
geofence warrant be used in the case of an abortion provider,
for instance, to identify employees or patients of that medical
facility? If so, what harms could occur because of that
identification?
Ms. Goitein. Yes. A geofence warrant can be used for any
purpose. There does have to be a crime that the government is
investigating because there is a warrant involved. At that
point, the government can pull in the information of everyone
who was at or near a healthcare provider that provides abortion
care services.
That will, of course, probably sweep in a lot of people who
were shopping at the convenience store next door or who were at
the provider for reasons other than abortion care, as well as
obtaining Fourth Amendment protected information of women who
are seeking abortion care without meeting the legal standard
that needs to be met under the Fourth Amendment and under the
laws Congress has passed to obtain that information.
Mr. Stanton. It is a scary proposition.
Thank you. I yield my time back. Next, I will recognize Mr.
Fitzgerald.
Mr. Fitzgerald. Thank you, Mr. Chair.
Chair Goodlatte, thank you for being here today. It is good
to see you.
FISA exists to enable the government, obviously, to conduct
counterintelligence and counterterrorism operations. When other
criminal activity is incidentally discovered, it can be noted
and passed on to the appropriate authorities, obviously.
I don't think FISA was meant to be kind of this treasure
trove of information that law enforcement has kind of
discovered is very readily available and kind of at their
fingertips, until it was continued to be relayed to them on a
regular basis that all they had to do is come up with the
request.
It is such a massive database and there are so many other
communications, some of them foreign-related and international.
The problem is that some law enforcement agencies have used
kind of the national security information as predicated to be
unrelated to national security originally. The issue is, then,
they are hiding the origin of the cases from the judges and the
defense attorneys.
So, I was wondering, when you guys looked at this--and when
it has been before Congress now, there were some guardrails put
in place. Do you think law enforcement has jumped those
guardrails or are operating outside of those guardrails? If
they are, what could we do to bring that back together?
Mr. Goodlatte. I do think they have jumped the guardrails.
In the Congress, this Committee, in particular, is going to
have an opportunity next year to take up the form of section
702. That is a very important provision in FISA that allows the
gathering of information about non-citizens outside the United
States. Incidental to that, lots of information is gathered
about U.S. citizens, and that information is, then, shared with
U.S. law enforcement agencies, particularly the FBI.
We think that there are not enough guardrails to require
that the FBI show probable cause before they tap into that
database to examine the information that they have at hand. So,
that is an opportunity to take up in the future.
Another way around that has been for law enforcement--and
other government agencies, by the way; we are not just talking
about law enforcement agencies; we are talking about almost any
agency of the Federal government and almost any agency of a
State or local government to buy information. That is the
subject of the Fourth Amendment Is Not For Sale Act, which we
have heard a lot of bipartisan interest in here today, which I
think is a very good thing.
Mr. Fitzgerald. Thank you. Thank you very much.
Mr. Tolman, I wanted to direct a question to you as well.
CBP and ICE have spent literally millions of dollars on
contracts with data brokers like Venntel and LexisNexis. These
contracts are intended to help the agencies enforce immigration
laws, but there is a concern among many Members of Congress
that somehow this information is being gathered on American
citizens and being collected.
I am just wondering if you wanted to comment on that? Or,
certainly, that is a concern, even if you can't verify or
underscore that it is actually happening.
Mr. Tolman. Yes, no question, it is happening. No question
that these brokers, you know, the amount of data points that
they are able to gather is enormous.
Keep in mind that you are also dealing with a situation in
which the government, whereas, in times past they might have
had a fingerprint database that came as a result of someone
being arrested, and then, they have a database full of that, or
DNA evidence of suspects that were brought in, that is very
different than regular citizens of the United States, which
have much of the data that could be pointed towards them, and
sometimes falsely pointed towards them, for commission of a
crime.
So, we should be concerned, and we have to be very
concerned about the robust nature of the databases that are
being purchased by our government agencies.
Mr. Fitzgerald. Yes, I think one of the other issues is
this lackadaisical kind of approach, and I think any American
citizen who is not really in tune to this says, I have nothing
to hide. Who cares if they gather this information and box it
up, and put it into some kind of dataset?
That is another concern that I think Congress has to
address. What are your thoughts on that as well?
Mr. Tolman. Yes, I 100 percent agree. All my family
believes TikTok is very innocent and fun and the most enjoyable
part of their day. Yet, we are watching just the potential for
our privacy rights to be violated at enormous levels. So, I
hope Congress is our last hope to fix it.
Mr. Fitzgerald. Very good. Thank you.
Mr. Stanton. Thank you very much. I now recognize Ms. Ross.
Ms. Ross. Thank you, Mr. Chair. Thank you to all our
Witnesses for being here.
The Fourth Amendment is supposed to protect Americans
against unreasonable searches and seizures. However, the Fourth
Amendment remains dangerously undefined in the wake of
technological advances, and we have discussed that for several
hours here.
Today, it is nearly impossible to avoid technology, and
therefore, nearly impossible to avoid the consequences of using
technology, including the availability of personal data getting
into the hands of interested parties.
The Supreme Court recognized this reality in 2018, in the
Carpenter case, which found that the government must obtain a
warrant supported by probable cause to access cell site
location information of more than seven days in most
circumstances. In its decision, the court noted that the
services--cell phones--that are so pervasive, they are an
insistent part of daily life, and that carrying one is
indispensable to the participation in modern society.
More recent cases have also extended Fourth Amendment
protection to personal data. Earlier this year, Judge Hannah
Lauck ruled in the United States v. Chatrie case that law
enforcement's use of Google location data to find people near a
scene of a 2019 bank robbery violated the protections
guaranteed by the Fourth Amendment. She noted her deep concern
that current Fourth Amendment doctrine may be materially
lagging behind technological innovations and emphasized the
``analysis of geofences does not fit neatly within the Supreme
Court's existing `reasonable expectation of privacy' doctrine
as it relates to technology.''
Notably, both the Carpenter and the Chatrie rulings
highlight the fact that users often do not consent to the
surveillance they find themselves under, or they consent once
when setting up their accounts, without recognizing the amount
of personal data that can be accessed from their phones for
years to come.
While some laws, including the Electronic Communications
Privacy Act of 1986 and the Privacy Act of 1974, have attempted
to provide some degree of protections, and we have had some
later attempts, the last attempts are older, include loopholes,
and they allow government authorities to buy private data from
data brokers without a warrant, as we have discussed.
We, clearly, need a better understanding of the extent of
Fourth Amendment protections in the Digital Age and new
standards for ensuring consumers comprehend how their data can
be used.
I would like to ask--I know we only have two minutes left--
each of our Witnesses to say what one change they would ask
Congress to make in evolving Fourth Amendment jurisprudence
that would make a difference in the daily lives of our
constituents. I will start with Ms. Goitein, since she looked
like she was thinking, and then, we can move along the way.
Ms. Goitein. I'm conflicted. Do I have to pick one?
Ms. Ross. Well, I am sure somebody will pick the other one.
Ms. Goitein. There's the long-term and the short-term.
I'm sorry, I'm fighting the premise--
Ms. Ross. Pick two. Pick two. Go ahead.
Ms. Goitein. Okay. In the short-term, Congress should pass
the Fourth Amendment Is Not For Sale Act. That will go a long
way toward closing the loopholes in existing laws, and those
loopholes are what are allowing the government to buy its way
around the Fourth Amendment.
At the same time, I would begin the project of
comprehensive data privacy regulation because we need it. We
need laws that limit what information companies can collect;
how long they can store it; who they can share it with; and
what kinds of consent they need to share it.
Ms. Ross. Okay. Chair Goodlatte?
Mr. Goodlatte. Well, following along the lines of
protecting our Fourth Amendment rights, I would call attention
to something we haven't talked much about here today, and that
is the fact that, when the FISA court issues warrants allowing
for the surveillance of various parties that are brought to the
attention of the court, almost always there is only the
government and their making the argument that they should have
the opportunity to do the surveillance.
I think there are a number of circumstances, particularly
when civil rights, religious organizations, political
campaigns, and other important things are being involved in
surveillance, that there ought to be somebody not representing
the target of the investigation, but somebody representing the
public's interest in protection against unlawful searches and
seizures.
I know you have taken an interest in that legislation.
Congressman Stewart has. In the Senate, it's known as the Lee-
Leahy or Leahy-Lee Amendment that was offered to FISA a couple
of years ago. I think that would be a very important
contribution.
I agree with Liza, right now would be to pass the Fourth
Amendment Is Not for Sale Act.
Ms. Ross. It is up to the Chair whether the other--
Mr. Stanton. A brief answer by the other Witnesses, please.
Ms. Lamdan. All right. In addition, of course, to
everything that Chair Goodlatte and Liza just said, I'd also
ask everybody to take a look at the Privacy Act of 1974. I'm an
administrative law professor, so everything for me goes back to
administrative law. That law was actually based on something
called the Fair Information Practice Principles, which give a
lot of due process requirements, like transparency and notice,
and like consent requirements before massive data collection
happens by the Federal government.
Mr. Stanton. Ms. Wexler, a short answer.
Ms. Wexler. Thank you. Requiring law enforcement to obtain
exculpatory evidence on behalf of the accused if defense
counsel is unable to obtain it directly. This is a much bigger
problem now that law enforcement is getting so much more data
from the private sector, rather than seizing or searching it
directly, in which case law enforcement would, in the process
of collection, gain exculpatory information about flaws in the
data or the method. If they buy it from the private sector,
they don't get access to those flaws. So, Congress should
impose some obligation on law enforcement to gain possession of
exculpatory evidence and hand it to the accused.
Mr. Stanton. Mr. Tolman?
Mr. Tolman. I agree with the FISA reform, the warrant
reform, and the privacy reform. I would add that you empower
this, the Inspector General over DOJ, with more authority and
capability to go after abuse when it occurs.
Ms. Ross. Thank you, Mr. Chair, for your indulgence. I
yield back.
Mr. Stanton. Thank you. The Chair now recognizes Mr.
Steube.
Mr. Steube. Thank you, Mr. Chair.
My questions are for Mr. Tolman. The FBI has purchased
thousands of licenses for software to canvass social media
postings. In April of 2021, FBI agents mistakenly raided the
home of an Alaska couple in search of Nancy Pelosi's laptop
from January 6th. This raid was partially because of bad or
misleading information that they garnered from social media
postings.
Beyond the obvious privacy implications related to mass
collection of online data, does the practice also lead to
sloppy law enforcement and mistaken identities?
Mr. Tolman. There's no question that the use and the
overreliance on massive databases has produced great
injustices, whether it be from targeting of political
adversaries to the misidentification among persons of color, to
you name it.
So, the abuse is very prevalent, and it is growing. I would
just caution Members of Congress that we only know the tip of
the iceberg in terms of the abuse because we do not have enough
transparency to understand it fully.
Mr. Steube. Along those lines, it has been widely reported
that January 6th defendants have received increased sentences
and harsher treatment based on the political views that they
expressed on social media posts. They aren't being punished for
just their actions, but, also, for the beliefs that they held.
Some have even been subject to increased sentences for daring
to question the legitimacy of the 2020 election. Presumably,
some or many of these posts were found through social media
canvassing programs discussed in this hearing.
Does this level of government surveillance open the door to
government persecution based on ideology? Mr. Fitzgerald hit on
some of the FISA issues you saw in the Russia collusion hoax
that we dealt with. If you could comment on that?
Mr. Tolman. There is a great potential, when utilizing all
the data points that are now being collected, to actually work
in reverse than what we think a criminal investigation would be
in. That is to analyze the evidence, and then, pursue a
particular target. Instead, what is happening is a target is
identified, and then, they reverse-engineer the evidence that
is necessary to justify their investigation. That's a problem
no matter who's in power. It is a problem for abuse.
Mr. Steube. I just want to, in the time that I have
remaining, just kind of get your opinion generally on the
Patriot Act. Then, I set it up with a couple of examples.
There are specific reasons why Democratic Members of
Congress, and Speaker Pelosi herself, have called Republican
Members of Congress ``domestic terrorists.'' The reason for
that is they can use the Patriot Act to surveil on people that
are deemed domestic terrorists.
I am aware of situations where Republican Members' staff
who happened to be in or around the area on January 6th,
because they work here were randomly picked up because the FBI
were using the technological capabilities that they have and
marking as to whose cell phone numbers were here, and then,
randomly asking them to come and have questions from them.
What is generally your perspective on the Patriot Act and
the abuses that we have seen occur? Again, to your point that
you just made, we really will not know the depth of all of
those abuses until we have full transparency from the FBI and
the DOJ, which we are obviously not going to get, certainly,
under this administration. I would like to know, generally,
what your feeling is on the Patriot Act and the abuses that we
have seen, where they use the term ``domestic terrorist'' to
surveil on individuals like Trump collusion hoax and FISA, and
that sort of thing, to surveil on the American people.
Mr. Tolman. Well, there's no question that, when the
Patriot Act was passed and reauthorized in 2005, representation
from Department of Justice and the FBI was that it would not
reach and extend to citizens of the United States. That was
with respect to most of its provisions, especially those that
we hear so much about.
You take delayed notice search warrants, for example. We
were told that they would rarely request much of a delay in
giving notice that they were searching a target's person or
place or surveilling them.
We learned later, through the Inspector General, that this
was not the case; that Congress had been misrepresented to on
its use. That abuse, I'm certain, has not stopped. Those that
have that power need to be reined in, and if not, they will
continue to utilize the tools that are given them.
Mr. Steube. To your point, we are never going to know until
there is transparency and documents, and the DOJ and the FBI
are going to hide behind ongoing investigation, or that type of
thing, to not give Congress the answers of what is really going
on in these investigations.
So, absolutely, Congress needs to Act as it relates to all
these programs and the surveillance, and all these things
related to this. So, I want to thank all the Witnesses for
their time here today.
I yield back.
Mr. Stanton. Thank you very much, Mr. Steube.
This concludes today's hearing. We thank all our Witnesses
for participating. Mr. Chair, welcome back.
[Whereupon, at 1:43 p.m., the Committee was adjourned.]
APPENDIX
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
QUESTIONS AND RESPONSES FOR THE RECORD
=======================================================================
[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
[all]