Chapter 18: Your Data Is Being Sold to the Government
On March 18, 2026, FBI Director Kash Patel sat before the Senate Intelligence Committee and said something that should alarm every American. Senator Ron Wyden asked him a direct question: will you commit to not buying Americans’ location data without a warrant? Patel’s answer was equally direct. The FBI, he said, purchases commercially available information, and those purchases have produced valuable intelligence. When Wyden pressed harder, Patel responded that the FBI uses all tools available to accomplish its mission.
Read those words again. The Director of the Federal Bureau of Investigation confirmed, under oath, in front of the United States Senate, that your government is buying your location data. Your travel patterns. Your daily routines. The places you visit, the doctors you see, the houses of worship you enter, the protests you attend. All of this data is available for purchase on the open market, and the FBI is buying. No judge signed off. No probable cause was established. No warrant was obtained.
Wyden called the practice an outrageous end run around the Fourth Amendment. He warned that combining these commercial data purchases with artificial intelligence creates a surveillance machine the framers of the Constitution never imagined and never would have permitted.
This is not a story about some obscure government program buried in classified documents. This is happening in the open. Agencies across the federal government, from immigration enforcement to intelligence, from the IRS to the Secret Service, are spending tens of millions of your tax dollars each year to buy the same intimate details about your life that they would need a warrant to obtain through any other means. And right now, as you read this sentence, no federal law prohibits the practice, and no court has ruled against the practice.
Your Fourth Amendment rights have a loophole. The government found the loophole. And the government is driving a fleet of surveillance trucks straight through the loophole.
How a 1979 Phone Call Created Today’s Surveillance Machine
To understand how the government got away with buying your most private data, you need to understand a legal doctrine born nearly fifty years ago from a robbery suspect’s rotary phone.
In 1979, the Supreme Court decided a case called Smith v. Maryland. Police had installed a device on a robbery suspect’s phone line to record the numbers he dialed. The Court ruled 5 to 3 that no warrant was needed. The reasoning was simple and, at the time, seemed logical. When you dial a phone number, you voluntarily share that number with the phone company. Because you chose to hand over that information to a third party, you assumed the risk that the government might get access to the information too. The legal world calls this the third party doctrine. If you share your information with a company, the government argues you gave up your right to privacy in that information.
Justice Thurgood Marshall saw the danger. He wrote in dissent that people have no meaningful choice in the matter. You have to use a telephone to participate in modern life. Expecting someone to give up their telephone to avoid surveillance is unreasonable. Marshall warned that the majority’s reasoning would let the government decide for itself how far Fourth Amendment protections reach. For four decades, his warning went unheeded.
Then came the smartphone era. And with the smartphone era came a case that changed everything, and simultaneously changed nothing.
Carpenter Closed One Door and Left Another Wide Open
In 2018, the Supreme Court took up the case of Timothy Carpenter, a man convicted of a string of robberies. The FBI had obtained 12,898 location data points from his cell phone carrier over 127 days. That is an average of 101 data points every single day, compiled without a warrant. The Court, in a 5 to 4 decision written by Chief Justice John Roberts, ruled that this kind of cell phone location tracking amounts to a search under the Fourth Amendment, and that the government needs a warrant to get those records from your wireless carrier.
Roberts recognized that cell phones are indispensable to participation in modern society. He acknowledged that your phone logs your location automatically, without any action on your part beyond simply turning the device on. He understood that this data creates a detailed chronicle of a person’s movements, revealing family, political, professional, religious, and sexual associations. The Court got the problem exactly right.
Then the Court deliberately created the escape hatch. Roberts wrote that the decision was narrow. The majority said nothing about whether the government is free to simply buy the same type of data from a commercial data broker instead of compelling a wireless carrier to hand the data over. Roberts even mentioned in his opinion that wireless carriers sell aggregated location records to data brokers. He acknowledged the pipeline. He chose not to address the pipeline.
Federal agencies read that silence as an invitation. If the Court said the government needs a warrant to force a phone company to turn over your location data, the government’s lawyers reasoned that buying the same data on the open market from a data broker is a voluntary transaction, a commercial purchase, a routine business deal. In their view, no Fourth Amendment interest is triggered because the data is available to anyone willing to pay. One senior DHS attorney compared buying your location data to buying a widget.
Think about that comparison for a moment. Your movements through every hour of every day, your visits to your doctor, your child’s school, your therapist, your place of worship, your attorney’s office. All of that, in the eyes of your own government, is a widget.
The Agencies Shopping for Your Life
The scale of government data purchasing is staggering, and the FBI is far from the only buyer. Virtually every major federal law enforcement and intelligence agency has purchased Americans’ personal data from commercial brokers. The receipts are public, obtained through years of Freedom of Information Act litigation, congressional investigations, and leaked internal documents.
Immigration and Customs Enforcement
ICE has built the largest commercial surveillance operation of any federal agency. The relationship stretches back to at least 2017, when the Department of Homeland Security began buying location data from a company called Venntel. Venntel advertised that its systems process more than fifteen billion location signals every day from over 250 million mobile devices. ICE purchased Venntel licenses for $190,000 in 2018. Contracts with Babel Street, another data vendor whose Locate X product lets users draw a digital boundary on a map and see every mobile device that entered or exited that area, grew from $1.1 million in 2018 to nearly $3 million by 2020.
The spending has accelerated dramatically. In September 2025, ICE signed a $2.3 million no bid contract with a company called PenLink for cell phone location tracking and social media surveillance tools. PenLink had previously merged with an Israeli surveillance firm called Cobwebs Technologies, a company that Meta banned from its platforms in 2021 for targeting activists and journalists. By January 2026, ICE’s total spending on PenLink tools exceeded $5 million, and the agency’s 2025 surveillance budget was ten times its entire surveillance spending over the previous thirteen years combined. In February 2026, ICE signed a blanket purchase agreement with Palantir carrying a one billion dollar ceiling.
ICE agents used Venntel data to identify a suspected smuggling tunnel from Mexico to a fast food restaurant in Arizona, then staged pretextual traffic stops to conceal the role the purchased data played. Every ICE investigative analyst had access to the Venntel system. When seventy two Democratic lawmakers demanded a DHS Inspector General investigation in March 2026, ICE cancelled a scheduled congressional briefing one day before it was supposed to happen, with no explanation. If your representative in Congress asks you to support legislation restricting warrantless data purchases, your support makes a tangible difference in closing this gap.
The FBI’s Broken Promise
The FBI’s arc on this issue tells you everything about government accountability on surveillance. In March 2023, Director Christopher Wray told the Senate Intelligence Committee that the FBI had purchased commercial location data for a specific national security pilot project, and that the project had not been active for some time. That was the assurance. The FBI tried the data. The FBI stopped using the data.
Three years later, under Director Patel, the FBI confirmed it resumed purchasing Americans’ data. Patel described those purchases as consistent with the Constitution. He offered no specifics about what data is being acquired, how many Americans are affected, or what safeguards exist. Meanwhile, the FBI’s existing contracts tell their own story. In March 2022, the bureau signed a deal for 5,000 licenses of Babel X social media tracking software, a contract worth up to $27 million over five years.
From the NSA to the IRS, Everyone Is Buying
The Defense Intelligence Agency confirmed in a January 2021 memo to Senator Wyden that the agency purchases commercially available smartphone location data. DIA analysts queried American location data five times in the preceding two and a half years. In March 2026, the DIA Director confirmed those purchases continue.
The NSA’s role was declassified in January 2024 after Wyden spent nearly three years pushing for disclosure. The NSA confirmed that the agency buys various types of commercially available information, including Americans’ internet browsing records, obtained without warrants. You read that correctly. The National Security Agency is buying records of what websites Americans visit.
U.S. Special Operations Command paid a secretive firm called Anomaly Six nearly $590,000 for what the contract called a Commercial Telemetry Feed. An Air National Guard unit in Iowa that flies armed Reaper drones also purchased access to commercial location tracking tools.
The Secret Service purchased access to Babel Street location data for over $600,000 in 2019 and another $229,000 in 2021. Internal Secret Service personnel raised concerns that the data contained personally identifiable information, directly contradicting the agency’s public claims that the data was anonymous.
The IRS Criminal Investigation division purchased Venntel subscriptions granting 12,000 queries per year, with agency lawyers arguing no warrant was needed because phone users had voluntarily granted access to location collecting apps. The DEA committed more than $10 million to PenLink surveillance tools.
Customs and Border Protection purchased over $5 million in data broker contracts and, in one three day span in 2018, acquired approximately 113,654 location data points from commercial sources. In March 2026, an internal DHS document confirmed for the first time that CBP’s location data was sourced directly from real time advertising auctions, the same auctions that serve you banner ads on your phone.
Every time you read about another agency making these purchases, remember: you are paying for this. Your tax dollars fund every one of these contracts. You are financing the surveillance of yourself. That reality alone should motivate you to contact your senators and representatives and ask them where they stand on the Fourth Amendment Is Not For Sale Act and its successor legislation.
What the ACLU Uncovered in January 2026
On January 12, 2026, the ACLU published a new batch of documents obtained from DHS through ongoing Freedom of Information Act litigation originally filed in December 2020. These documents provided the most detailed look yet at the legal and operational machinery behind warrantless data purchasing.
The most significant document was a two page internal ICE legal memo laying out the agency’s rationale for buying Americans’ data without a warrant. The memo argued that purchased location data is fundamentally different from the cell phone records at issue in the Carpenter case because the data is commercially available rather than compelled from a carrier. This is the clearest statement of the government’s legal theory that has surfaced through litigation. Additional documents revealed that the DHS Privacy Officer raised direct concerns about how advertising identifiers get linked to specific individuals during analysis, and about how long the data is retained. Internal records also showed that the DHS Office of Science and Technology purchased Venntel access without completing a required Privacy Threshold Assessment.
The document release implicated six separate DHS components: ICE, CBP, the Secret Service, the Coast Guard, DHS headquarters offices, and the Office of Science and Technology. DHS had announced in 2024 that the department was ending data broker contracts. The ACLU’s documents showed that ICE had already resumed purchases through a different vendor.
Congressional reaction was immediate. Senators Mark Warner and Tim Kaine demanded a DHS Inspector General investigation. By March 2026, seventy two lawmakers had joined that call. Maine’s legislature passed a landmark state privacy bill partly inspired by the revelations. You have the ability to demand the same from your state legislators, and if you live in a state that has not taken action, your voice is needed now.
The Law Congress Passed and Never Finished
A bill called the Fourth Amendment Is Not For Sale Act was first introduced in April 2021 by Senator Ron Wyden, a Democrat from Oregon, and Senator Rand Paul, a Republican from Kentucky. Let the bipartisan nature of that pairing sink in. On the question of whether the government should need a warrant to access your personal data, members of Congress from both parties agree. The bill attracted twenty Senate co sponsors spanning the ideological spectrum, from Senator Bernie Sanders to Senator Mike Lee.
The bill’s core idea is straightforward. Government agencies would need to get the same court orders to obtain data from data brokers that they already need to get data from phone companies and tech firms. The bill would also prohibit agencies from purchasing data obtained through deception or hacking, and it would make any evidence obtained in violation of the law inadmissible in court.
In July 2023, the bill passed the House Judiciary Committee unanimously. On April 17, 2024, the full House of Representatives passed the bill 219 to 199. One hundred and twenty three Republicans and ninety six Democrats voted yes. Both the Speaker of the House and the Minority Leader voted in favor.
The bill then moved to the Senate, where it died. Offered as an amendment to the FISA Section 702 reauthorization, it failed 31 to 61, unable to reach the sixty vote threshold needed to survive. Senate leadership from both parties insisted that all amendments fail to avoid sending the FISA bill back to the House before its expiration deadline. The intelligence community lobbied hard against the measure, calling the restrictions devastating to operations. Law enforcement groups lobbied against the measure as well. The standalone Senate version expired without a committee vote on January 3, 2025.
As of March 2026, the bill has not been reintroduced in the new Congress. A related bill, the Government Surveillance Reform Act, was introduced on March 13, 2026 by Senators Wyden and Mike Lee. The data broker loophole in federal law remains wide open. Your representatives need to hear from you on this. A phone call, a letter, an email to your senators asking them to co sponsor surveillance reform legislation costs you five minutes and moves the needle more than you might think.
Geofence Warrants and the Supreme Court’s Next Big Decision
Geofence warrants represent a different species of government surveillance, and the Supreme Court is about to weigh in on them for the first time. Here is how a geofence warrant works. Instead of identifying a suspect and then seeking that suspect’s data, law enforcement draws a virtual boundary around a location, say a crime scene or a city block, and demands data on every single device present in that area during a specific time window. Google maintained a database called Sensorvault that archived location data from approximately 592 million users, logging locations on average every two minutes, sometimes with precision down to a few meters.
Google received its first geofence warrant in 2016. Requests exploded from there, increasing 1,500 percent from 2017 to 2018, then another 500 percent from 2018 to 2019. By 2020, Google was receiving over 11,500 geofence warrants per year, accounting for roughly one quarter of all the warrants the company receives.
Jorge Molina, a twenty three year old in Avondale, Arizona, learned what these warrants mean for an ordinary person. In December 2018, police arrested him for murder. A geofence warrant had flagged a device linked to his Google account near the crime scene. Officers told him his phone placed him at the scene one hundred percent, without a doubt. He spent six days in jail. He lost his job. He lost his car. He dropped out of school. Then police discovered the actual suspect was his stepfather, who had been using an old phone still logged into Molina’s Google account.
In Gainesville, Florida, a thirty year old restaurant worker named Zachary McCoy became a burglary suspect because his daily cycling route happened to pass near a burglarized home. He borrowed $7,000 from his parents to hire a lawyer who got the warrant quashed.
The federal courts are deeply divided on whether geofence warrants pass constitutional muster. The Fifth Circuit ruled in August 2024 that geofence warrants are categorically prohibited by the Fourth Amendment, calling them modern day general warrants and comparing them to the exact sort of general, exploratory rummaging the Fourth Amendment was designed to prevent. The Fourth Circuit reached the opposite conclusion, ruling that a defendant had no reasonable expectation of privacy in Google location data because he had voluntarily shared that information with Google.
The Supreme Court agreed on January 16, 2026 to hear the case, Chatrie v. United States, with oral argument set for April 2026. This will be the first time the Court examines how the Carpenter decision applies to location data held by a commercial technology company rather than a wireless carrier. The ruling, expected by summer 2026, will shape Fourth Amendment protections for a generation. Meanwhile, Google announced in December 2023 that the company would move location history data to on device storage by default and encrypt cloud backups so that even Google cannot read them.
Those changes make it far harder for the company to respond to geofence warrants going forward. No state has enacted a full ban on geofence warrants, though New York’s Reverse Location Search Prohibition Act has been reintroduced in 2025, and Montana became the first state in 2025 to prevent police from purchasing citizens’ data that would ordinarily require a warrant.
Keyword Warrants: When Your Google Searches Become Evidence
If geofence warrants track where you go, keyword warrants track what you think. Law enforcement submits a request to Google asking for a list of every person who searched for specific terms during a given time period, sometimes within a particular geographic area. The warrant does not target a known suspect. The warrant targets everyone who typed certain words into a search bar.
The first state supreme court to address the constitutionality of keyword warrants was Colorado. An arson fire in Denver’s Green Valley Ranch neighborhood killed five members of a Senegalese immigrant family, including a toddler and an infant. With no suspects after two months, Denver police obtained a reverse keyword warrant seeking the IP address of anyone who had searched for the home’s address in the fifteen days before the fire. Google produced data on 61 searches from 8 accounts, leading to the arrest of three teenagers. The Colorado Supreme Court recognized that people have a constitutionally protected privacy interest in their search histories, with direct implications for free speech and free thought, and assumed without deciding that the warrant was constitutionally defective. The court allowed the evidence under a good faith exception.
Keyword warrants require searching databases encompassing over one billion Google users processing up to 100,000 queries per second. Google’s changes to location history storage have no effect on keyword warrants. Your searches remain stored on Google’s servers, and law enforcement continues to demand access to them.
The Pennsylvania Supreme Court currently has a keyword warrant case pending, with major civil liberties organizations filing briefs arguing these warrants are unconstitutional dragnets. If the idea of the government having access to your search history concerns you, this is the moment to switch to a privacy focused search engine and to review the data Google stores about you. Go to myactivity.google.com and see for yourself what is there. Delete what you do not want stored. Turn off Web and App Activity if you are willing to trade some convenience for privacy.
The Bigger Surveillance Machine
Data purchases, geofence warrants, and keyword warrants are just one part of a much larger surveillance ecosystem. Tower dumps allow law enforcement to request records of every phone that connected to a specific cell tower during a given period. A single tower dump captures data from hundreds to nearly 1,700 phones. In February 2025, a federal magistrate judge in Mississippi became the first judge to deny a tower dump request outright, writing that the Fourth Amendment does not permit law enforcement to rummage through troves of data and then decide for themselves whether probable cause exists.
A company called Fog Data Science sells location data to local police departments for as little as $7,500 per year, putting mass surveillance capabilities within the budget of small town law enforcement. Stingray devices impersonate cell towers to capture every phone in range. Automated license plate readers, like those operated by Flock Safety in Vallejo, California, identified more than 400,000 vehicles in just thirty days. Data fusion platforms from companies like Palantir integrate all of these surveillance streams into unified dashboards, giving analysts a single screen view of a person’s movements, associations, and digital life.
The intelligence community’s own assessment of the problem is chilling. In June 2023, the Office of the Director of National Intelligence declassified a report from a Senior Advisory Group Panel that concluded commercially available data includes information on nearly everyone that is of a type and level of sensitivity that historically could only have been obtained through search warrants, wiretaps and surveillance. The report warned that this data could identify every person who attended a protest or rally, and that in the wrong hands, the data could enable blackmail, stalking, harassment, and public shaming. Most remarkable of all, the ODNI admitted that the intelligence community itself did not even know which agencies were buying Americans’ personal data or the full extent of the purchases.
Real People, Real Consequences
As mentioned earlier in the book, the Muslim Pro prayer app had been downloaded more than 98 million times. Millions of Muslims around the world used the app to check prayer times and find the direction of Mecca. In November 2020, journalists revealed that the U.S. military was buying granular location data extracted from Muslim prayer apps, including Muslim Pro and Muslim Mingle.
The data flowed through two pipelines. One was Babel Street’s Locate X tool, purchased by U.S. Special Operations Command. The other was a company called X Mode Social, which had embedded its tracking software directly inside the apps and sold the resulting data to defense contractors. X Mode’s CEO confirmed the company tracked 25 million American devices every month. The Council on American Islamic Relations captured the outrage perfectly: using an app to check prayer times should not lead a Muslim to become a victim of government surveillance.
Apple and Google banned X Mode from their app stores. The company changed its name to Outlogic, was acquired by another firm, and in January 2024 became the target of the FTC’s first ever ban on selling sensitive location data.
The surveillance also reaches reproductive health. A data broker called Near Intelligence sold geolocation data to a nonprofit affiliated with Wisconsin Right to Life. That organization drew digital boundaries around nearly 600 Planned Parenthood clinics across 48 states and served 14.3 million targeted ads to women who visited those clinics between 2019 and 2022. Near’s Chief Privacy Officer admitted the company had no technical controls to prevent targeting of sensitive location visitors until the summer of 2022.
A separate data broker called Mobilewalla tracked approximately 17,000 Black Lives Matter protesters in June 2020, analyzing their race, ethnicity, and home towns. The FTC brought enforcement actions against both companies.
Then there is the security risk created when surveillance data itself gets stolen. On January 4, 2025, Gravy Analytics, the parent company of Venntel, the primary vendor selling location data to federal agencies, discovered a massive data breach. A hacker posted 17 terabytes of stolen data on a Russian language cybercrime forum. The leaked sample contained 30 million records from just the first days of January 2025, drawn from 3,455 Android apps including dating apps like Grindr and Tinder. The full stolen database is estimated to contain over 200 billion records. The same data the government purchased to surveil Americans ended up in the hands of foreign cybercriminals.
When you reduce the amount of data apps collect about you, by reviewing app permissions on your phone and denying location access to any app that does not genuinely need your precise location, you reduce the data available to both commercial brokers and the hackers who steal from them.
What You Need to Know Right Now
The Fourth Amendment to the United States Constitution was written specifically to prevent this kind of government overreach. The framers had lived under British general warrants, which allowed government agents to search anyone, anywhere, for anything. They crafted the Fourth Amendment to require the government to go to a judge, demonstrate probable cause, and obtain a warrant before searching your private life.
The data broker loophole makes that protection meaningless for hundreds of millions of Americans. The government needs a warrant to compel your wireless carrier to hand over your location records. That same government walks down the street to a data broker and buys information that is equally detailed, equally personal, and equally revealing, for a fraction of the cost and with zero judicial oversight.
Congress has tried to close this gap. The Fourth Amendment Is Not For Sale Act passed the House of Representatives with bipartisan support. The bill died in the Senate. A successor bill was introduced in March 2026. Whether this gap gets closed depends on whether enough Americans demand action from their representatives. Call your senators. Call your House member. Tell them you expect the same constitutional protections to apply regardless of whether the government compels your data or purchases your data.
The Supreme Court’s upcoming decision in Chatrie v. United States is poised to reshape the landscape. If the Court extends the Carpenter reasoning to location data held by commercial technology companies, federal agencies will face a much harder legal argument for their data purchases. If the Court rules narrowly, the legislative path becomes even more urgent.
Every day you carry a smartphone, you generate data that describes your life in granular detail. That data flows from your phone to app developers, from app developers to data aggregators, from data aggregators to data brokers, and from data brokers to government agencies. This pipeline operates without your meaningful consent, without judicial oversight, and without any federal law preventing the final transaction.
The government is buying what the Constitution says it needs a warrant to obtain. The question is whether you and enough of your fellow Americans will insist that your government follow its own Constitution. The answer to that question will shape the privacy rights of every generation that follows.