It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation, if not in letter, then in spirit, of the fourth amendment. I’d like to see an amendment to the Constitution to update the fourth amendment for the modern era, where a huge amount of information can be gathered about people without “searches and seizures”. The general issue of data collection is obviously one of the largest of our time, but I think most people would agree our own government should not be using our money (or debt) to legally circumvent our rights.
It's the premise that once you give up data to a third party, you no longer have any "reasonable expectation of privacy" so therefore it's not a search.
There is similar case law backing up searching your garbage can. While it's up against your house (aka still under your control), you have rights to it.. once you put it on the street for the garbage truck to collect, you've surrendered those rights.
I'm NOT saying this is good or what I like - specifically, I hate it - but it's how it currently works under US case law.
Therefore, to change things, we need Congress to write new laws and/or new Amendments. Our opinions of "how it should be done" are irrelevant unless backed by the law.
The funny thing is, when it comes to freedom of speech, the courts made the opposite decision with the State Actors doctrine. If the government wants to censor you, they can't reach through a private institution to do it. But the Third Party Doctrine says they can reach through a private institution to search and seize your property.
This is an arbitrary distinction chosen purely by judicial fiat. There was no democratic movement to strengthen 1A and weaken 4A/5A in this manner. Ergo, we shouldn't necessarily have to get Congress involved just to fix this weird inconsistency in caselaw. The courts have an understandable aversion to "legislating from the bench", but if you've already done so, I think it's fine to at least fix obvious mistakes.
There's a major (and important) distinction between the two scenarios.
The State Actors doctrine says that the government can't hire someone to do something on their behalf that they're not allowed to do.
Under the Third Party Doctrine, they aren't searching and seizing your property in this case, as your data is no longer your property since you gave it to that third party already.
If the government was paying Neustar (or whomever) to go acquire this data on their behalf, it would be an issue under current law. But buying something that was handed over willingly* is a different issue.
*the article makes a valid point that many people are unaware they have agreed to hand this data over to a service provider, which is something that should be addressed IMO.
You might not agree with it, but it's not an "obvious mistake" and it's not a "weird inconsistency" in caselaw.
Under the Third Party Doctrine, they aren't searching and seizing your property in this case, as your data is no longer your property since you gave it to that third party already.
If you have a child in public education, you are forced to use third party tools to communicate, acquire class photos, enroll in sports, etc.
Nothing with data collection is "voluntary". To exist in our society there are so many "private institutions" that essentially wield governmental power.
It will absolutely be our undoing as a country that we cannot see the forest from the trees.
> If you have a child in public education, you are forced to use third party tools to communicate, acquire class photos, enroll in sports, etc.
No, you aren't (at least in my area), but even if you are that's not the government's problem.
> Nothing with data collection is "voluntary". To exist in our society there are so many "private institutions" that essentially wield governmental power.
It is "voluntary". The quotes are there for a reason because it can be highly inconvenient not to "volunteer", but it is possible (at a cost in most cases).
> It will absolutely be our undoing as a country that we cannot see the forest from the trees.
Third party data access will not be our undoing.
For one, it's not that serious of an issue, and we can ultimately change the law if enough people feel strongly enough about it.
I don't think the courts or the companies which hold your personal data consider you to have any property right to that data (beyond the intellectual rights you may have via any copyrights, even if you count those much personal data like your location history or your DNA isn't copyrightable). Imo when the government receives a copy of your personal data from a third party they aren't "taking your property" any more than I would be if I took a photograph of your house.
How do you imagine property rights for personal data to work? Even in places like the EU with stronger rights/protections around personal data they don't try to fit those rights/protections into the existing framework of property rights because they are so different.
We continue to "own" the data, but we've given them a worldwide irrevocable unlimited license to do what they want, limited only by local law.. hence why I put "own" in quotation marks.
Well that is in regard to any copyrighted material you may give them. But for uncopyrightable things like data from a heart rate sensor, or your shopping history on amazon, you can only ever own the physical objects the data is manifested in, not the data itself. And any company will definitely tell you that you have zero property rights over the actual storage devices in the datacenters where your data happens to reside.
Yeah certain information held by third parties is already protected by statute such as video tape rental or sale records, or emails held by a service provider for less than 180 days. There really isn't a reason why congress couldn't expand similar provisions to all or most personal data held by third parties.
I'd wager you could argue that it's not possible to participate in society without internet services, and that it's not possible to use internet services without divulging personal data.
It's practically impossible to avoid giving your information to a 3rd party.
There's no expectation of privacy for garbage, and no fourth amendment protections for it. That's why dumpster diving remains legal as long as you don't break since other law like trespass in the process.
> where a huge amount of information can be gathered about people without “searches and seizures”
Although in my opinion, the vast majority of this data collection and use absolutely counts as "searches and seizures" -- just by private corporations rather than the government. Which, in my view, is worse than if it were just the government.
I think there needs to be some kind of "responsible and clear disclosure" laws that require companies to very clearly and overtly disclose what data they're collecting and how they're using it.
Some kind of standardized "label" (something like the standardized nutritional facts on food products) that is easy for consumers to read and comprehend, not buried in pages of paperwork, without needing to read a 20 page TOS / Privacy Policy.
The legal problem is everyone is "consenting" to data collection by accepting a TOS which protects companies and makes it "legally acceptable". The real problem that needs solving is consumers are rarely aware of what they're consenting to. Companies might not hoover up and sell as much data if they were required to clearly tell everyone they're doing it.
Basically, let's get rid of this idea that agreeing to a 20 page TOS / Privacy Policy is legally binding when < 1% of people actually read what they're agreeing to.
> The real problem that needs solving is consumers are rarely aware of what they're consenting to.
Right, which means consent was never actually given. In order for it to be consent, you have to be fully informed of and understand what you're being asked to consent to, and there has to be a realistic and meaningful way to withhold that consent.
> you have to be fully informed of and understand what you're being asked to consent to
This really makes it seem like only a very limited set of contracts would actually be legal.
To me a big problem we have is that we act as if there is a fair "fight" between a mega corporation with a expensive team of lawyers, expert psychologists, and supercomputers against ... my gandma who googles to get to google. I think we all know that nearly no one reads pretty much anything they sign and if they did it is not clear that they are fully informed, understand, or are not under pressure (clear case might be medical consent forms authorizing something like a emergency surgery. I'd find it impossible to convince me the person signing was well informed and not under duress. I'd rather case like that revolve around expert of doctors determining if an action was reasonable to another doctor rather than have anything to do with a patient or surrogate signing a document. Seems to just waste time).
It really would be great if the crack team of lawyers was required to put terms and conditions into text that is understandable by an average person in a reasonable amount of time.
>This really makes it seem like only a very limited set of contracts would actually be legal.
Correct. There is an abject lack of respect and even basic understanding of consent in society, especially in the business world. It's a massive problem that does not receive anywhere near the attention it deserves.
A TOS is absolutely not a contract that people enter into fully aware of the implications.
We should have granular control over the permissions we give companies in how they use data. I don't feel it is enough to require clear disclosure of the ways a company uses data, I think they should require explicit and knowing consent from the user, and the user should have a meaningful way to withhold consent other than to abstain entirely from using any online services.
It is hardly fair or equitable, and surely should not be legal that a company can, without any meaningful way for a user to withhold their consent, declare & demand unlimited control and benefit (of/from the user's data) for any purpose whatsoever, including sharing and selling said data for a profit to data brokers who have no contractual obligation to the user once they obtain the data.
I'm fully with you, but my question is how you actually inform people at the power of their data? I often pressure people into chatting with me through Signal and I'll be honest, there is often a defeatist or lack of knowledge at what this data can be used for even among graduate CS students.
Honestly, I think one of the major issues is that the world is exceptionally complex these days (well, always has been, but surely there's more now). Our entire world runs on specialization but we often act as if one needs to be an expert in nearly every domain. Is not the definition of an expert someone who understands the nuances and complexities of said niche? It would then seem de facto unreasonable for people to have a nuanced understanding of practically any given subject.
Because of this, I want to question the common framing about focusing on informing people. I don't want to stop informing people, to be clear. But I think we should look for solutions that are not reliant upon people being informed, as this is clearly not a scalable nor stable mechanism for creatures with finite ̶t̶a̶p̶e̶ ̶ knowledge and finite time.
The thing is, people don't have the ability to withhold consent. I don't think people would need to be fully informed to realize that withholding consent is better than giving it, if that was actually a viable choice to make.
I mostly trust Mozilla but I still turn off all of their data collection in Firefox. This wasn't always my default but it is now my default in any place where I am given the choice.
It really is difficult to understand all of the implications and it's taken me years of experience to realize that I should just default to presuming that data collection is going to be bad for me in the long run. When there is a complex and nuanced situation involving a binary choice then all you really need to know is which of the two choices is generally more likely to be in your best interest, then always choose that one. For data collection the safe bet is always "no"
Yeah that's how I am too, even with Mozilla. For the same reason: default to the most secure option. Everything is so complex that I can't know what my information makes me vulnerable of.
We can't force people to care about privacy. That's not the goal. If someone is clearly informed and they still don't care, that's totally fine. The problem is people aren't being clearly informed.
No, the problem is that they don't really have an alternative. To give none of your information to banks, email providers, ISPs, cell service providers, etc. is to remove yourself from society.
Companies, courts, and for the most part the congress, obviously don't seem to care. (In the USA, at least. Europe sort of seems to care but even then I'm not sure the solutions have been adequate / appropriate)
I’m not sure of your personal skills, abilities, and background, so this is more of a general call to action: Why not create an alternative?
I’ve often heard people talk of a lack of alternatives to certain services, so they use them begrudgingly, or boycott them at large personal cost. But it doesn’t have to be this way. There is nothing that I’m aware of that says banks or digital service providers need to collect any more information than is necessary to provide the service they offer. It seems to me that, at least in a this niche community there is a desire for privacy-respecting products and services. A company that oriented itself around meeting that demand would be, I suspect, very lucrative.
>There is nothing that I’m aware of that says banks or digital service providers need to collect any more information than is necessary to provide the service they offer
And what about all the information that is necessary to provide the service they offer, like the real-time location of everyone's cell phone and who calls who when and for how long or all the DNS requests? Sure, a company doesn't have to retain this information and market it for resale, but providing these sorts of services necessarily entails access to a lot of information that most people would consider private, but which the third party doctrine says isn't.
This is the key right here. There should be a clear way to withhold consent because implicit agreement isn't good enough for the kind of data collection and aggregation that is happening.
> If someone is clearly informed and they still don't care, that's totally fine.
Let's be honest here, how many people are "clearly informed?" That's fuzzy definition. I'll give a personal example here[0]. Certainly the implications here are operating through fairly abstract and indirect mechanisms (it's even called "metadata") and most people are not trained to operate within these types of frameworks.
FWIW, no one seems happy with the situation but feel that they have no choice in the matter. It's said that you can choose not to use said service, but often the implication of that means no phone, no internet, no computer (at least non-linux), no bank, etc. There may be a literal choice available, but not a reasonable choice. I think we need to have a clear distinction between these two, because the literal choice is often used to justify something that would have major impacts. I think it is difficult to argue that one could create a reasonable and relatively average modern life with no access to phone, internet, or computer. It also then clearly becomes "well I'm forced to share with x people, so I guess I'll share with y" and often x is "the government" (even if it isn't).
[0] I've on several occasions had conversations with my family where they've been convinced that their phone is listening to every conversation they have (this dates back to 2010 btw but continues today) because they were served ads for something they were talking to about with a friend, in person. They are convinced that is the only way that such an inference could be made rather than through knowledge that the friend made the purchase (recently), that the companies know these two people are standing right next to one another for an extended period of time, and have a decent knowledge of their interests to infer that this product would be likely discussed by these two people. Ironically the recording is more complex, but it appears simpler. Sure, setting is different in 2023+ but we know the compute costs to process every conversation and energy requirements to be always recording and that this would kill phones of the 2010's.
Their behavior against Gizmodo over an iPhone 4 prototype got really close to jailing tech bloggers.
Their technical control over the signing keys that Apple devices trust also gives them the ability to enjoin shittons of otherwise legal activity (e.g. emulators).
Apple also pays shittons to have Customs & Border Patrol lock down the US border and ban iPhone parts imports that aren't authorized by Apple. Does that count as a fine?
The first and third of those are Apple trying to get a government to do something on their behalf. The second of those is attempting to technologically restrict activities you can do with an Apple device, not legally restrict your activities in general. Apple still doesn't have the legal authority of a government, nor should it.
> It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation, if not in letter, then in spirit, of the fourth amendment.
Tragically the 4th amendment is kinda narrow. I would definitely appreciate some additions which enshrine a more specific right to privacy. Protecting against "unlawful" searches (AKA you have to take the case to court afterwards) is far to close to meaningless. Feels like the 4th amendment is about 10% as powerful as it should be.
> It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation, if not in letter, then in spirit, of the fourth amendment.
It is and always has been legal for other people to volunteer information about you to the police. Doesn't matter if they're operating a business or not.
I can call the police right now and tell them that lumb63 posted a comment on HN at 2024-01-30T14:14:13. If I had more detailed information, I could tell them that too, and they could legally listen to me. I could tell them literally anything that I know about anyone.
Why would that be illegal?
This situation doesn't have anything to do with the 4th amendment. The 4th amendment prevents the government from forcibly taking information.
The parent understands all that, you do not need to repeat what they said themselves.
Times change, so do effects and outcomes. Laws don't have to be fixed for eternity. It would be really dumb if they did. Fortunately a system was designed to update laws in accordance with a dynamic environment.
No, I am disagreeing with what they said. The 4th amendment is not the issue. It is and should continue to be legal for people to tell the government whatever they want.
The problem here is a lack of regulation for the companies that collect this data. Forget the government, data brokers can sell to anyone they want -- a stalker, someone looking to do harm to you, etc. People are harassed, robbed, cheated, scammed, and physically harmed using this information on a regular basis.
I understand you are disagreeing. They understand that the 4th Amendment doesn't offer these protections but made a claim that it does "in spirit."
> It is and should continue to be legal for people to tell the government whatever they want.
You're right, but that's not what's happening here. What's happening here is one of 2 things. 1) Government initiated: seeks out and requests information from others and in this case, offering payment. 2) Information holder initiated: who is specifically offering information in exchange for compensation. This is more akin to walking into your police station and saying "I have crimes to report, but I will only do so if you pay me first." Obviously this has perverse incentives and I think we can see how this can clearly be abused to circumvent any requirements for warrants or other such due process.
I do agree that this situation is in violation of the __spirit__ of our legal system. Clearly a loophole is de facto not in spirit. Whether that is a 4th Amendment or not, idk, IANAL and neither is the OP and I assume neither are you(?). 4th Amendment seems pretty reasonable to point to considering it mentions warrants and this practice is being done explicitly to circumvent warrant requirements. But clearly we all understand what is trying to be communicated here, and that's the point. I wouldn't have made such a comment if you mentioned explicitly third party doctrine (as casey did an hour before you) or cited some law which added clarity to the situation. But yes, everyone knows you can just freely go tell the police about a crime you witnessed. I'm not sure who does not understand this. I would be extremely surprised if anyone actually believed it was illegal to report crimes to authorities and immediately question their mental capacity. But I guess we disagree at what constitutes basic and obvious knowledge.
It doesn't violate the spirit of the 4th, nor is it a loophole. The 4th is not a prohibition on the government collecting information, nor is it a data privacy law. The 4th is about preventing the government from abusing their power to compel. Volunteered information isn't compelled by definition, so it is fine. This was the case then and it is the case now.
> 1) Government initiated: seeks out and requests information from others and in this case, offering payment. 2) Information holder initiated: who is specifically offering information in exchange for compensation.
Like a wanted poster and a bounty for information? These existed when the BoR was written. They weren't prohibited by the writers because the writers didn't have an issue with it. The 4th isn't a "government can't know anything or can't ask anything" rule, it's a "government can't bust down your door for no reason" rule.
> I wouldn't have made such a comment if you mentioned explicitly third party doctrine (as casey did an hour before you) or cited some law which added clarity to the situation. But yes, everyone knows you can just freely go tell the police about a crime you witnessed. I'm not sure who does not understand this.
The example I gave was a practical illustration of how silly reality would be if third-party-doctrine wasn't a thing.
I see your point regarding wanted posters and providing bounties for info on criminals. What’s going on with the intelligence agencies buying data from data brokers is definitely similar. However, it seems to me that the scale of what is going on at present is much larger; it is likely akin to having a wanted poster and providing bounties for any info on all people, criminal or otherwise. The vast majority of people whose data is being provided are probably innocent and not suspected of any crimes at all, nor will they ever be. And, as you say, the fourth amendment is a “government can’t bust down your door for no reason” rule. It seems where we differ is that I interpret (as does the U.S. Supreme Court since Katz v. United States) the “bust down your door” part to mean much more than my physical door, which is why I find that it violates the “spirit” of the fourth amendment: in my mind, an amount of privacy that it is reasonable to expect (e.g. what entities a person is communicating with over their own internet connection) is being denied by the government to perhaps all citizens using the Internet.
It sounds like we agree that the amount of data being collected on people via the internet is way too much and should be restricted. I think that regardless of whether or not stopping the government and its agencies from purchasing such data is or is not in keeping with the spirit of the fourth amendment, we will need legislation to protect the privacy we want from the government, and definitely from corporations. Let’s work toward that end.
> we will need legislation to protect the privacy we want from the government, and definitely from corporations. Let’s work toward that end.
I agree with the latter, but not the former. If you solve the commercial data privacy issue here, the entire problem is solved, because it is the root cause.
We don't need a law that prevents the government from buying records about your internet traffic. We need a law that prevents companies from selling it to anyone.
> If you solve the commercial data privacy issue here ... because it is the root cause.
I think many agree that this is a fundamental part of the problem but the article is about the NSA who has been known to gather a massive amount of information on the public through entirely their own means. But no doubt destroying surveillance capitalism will be a big win for the privacy, security, and safety of the public. From the government, foreign adversaries, and other members of the public alike. But the war will not be won despite victory in a major battle.
> We don't need a law that prevents the government from buying records about your internet traffic.
You're right. We shouldn't need a law and this will likely come down to a court case that would make explicit the spirit part. As government entities are not allowed to obtain evidence via means that an average citizen would. Which is the entire point. If the gov would need a warrant to collect that data themselves, they need a warrant to elicit that evidence (distinctly different from evidence freely and voluntarily being given to them). Meaning they need a warrant to buy the evidence.
> We need a law that prevents companies from selling it to anyone.
We need laws to prevent the collection in the first place.
> We need laws to prevent the collection in the first place.
Agreed, when possible. But the vast majority of this information is just generated from the activities inherent to doing business and it's always possible to prevent it from being collected at all.
I think it's generally okay and expected that businesses have information related to my interactions with them. But I think people don't expect or like the idea of that information being shared with third parties who didn't need to be involved.
The reason we cannot agree is because you refuse to acknowledge the direction of action. There is a difference if you report to the cops and if the cops come to you and ask you to report. These are completely different. You taking action: okay. Cops taking action: needs due process. Full stop.
> The 4th is about preventing the government from abusing their power to compel.
Let's get the 4th in here to so we actually read it and not from memory
> The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.
The 4th is in part about government abusing its power, and that's true for all amendments. But it is clear that the 4th is about protecting information. I do not think it is hard to read as "The government is not allowed to collect information on people without warrants and without due probable cause." It clearly has a legal setting for this given that it is what is cited to prohibit wiretapping[0] and I'll even quote Justice Potter[1]
> For the Fourth Amendment protects people, not places. What a person knowingly exposes to
the public, even in his own home or office, is not a subject of Fourth Amendment protection.
But what he seeks to preserve as private, even in an area accessible to the public, may be
constitutionally protected.
Note that the stress here is on intention to have public and intention to have private. You are protected even if in the public but intending to be private. Surely Potter would believe that were one to walk to a secluded area to hold a phone conversation and the government followed to secretly listen in, that this would be within the protection of the 4th Amendment. Many people incorrectly assume that you cannot have a reasonable expectation of privacy out in public. You sure can and everyone does it. Bathrooms are an uncontestable example.
> Like a wanted poster and a bounty for information?
The government cannot print wanted posters without due process. Yes, I have no problem with this. The due process part is essential.
> The example I gave was a practical illustration of how silly reality would be if third-party-doctrine wasn't a thing.
There is a huge difference between someone coming to the government out of their own free will -- someone who is not under duress nor are they incentivized by payment -- than the government making a request. Action is important. The government here is making an explicit action to seek and gather information. Obviously I do not object to someone reporting a crime and I should not need repeat myself any further.
There's a reason this is different and you need to stop pigeonholing me into a completely irrelevant argument. Here's how this can be abused. The government (or "friend") creates a private corporation. Private corporation does everything that the government cannot do without getting a warrant. Private corporation then gives the information to gov. How is this not a loophole?
That's the thing. The government is __seeking__ information that it would normally require a warrant to obtain. Were companies to freely offer this information to the government, then that's a completely different scenario and precisely the one you keep arguing which no one disagrees with. But if the government takes action to elicit that information, (aka ACTION) then that is not the same thing as information volunteered.
> There is a difference if you report to the cops and if the cops come to you and ask you to report. These are completely different.
So, when the police ask the public for information related to a crime, it should be illegal? I disagree. The police shouldn't be prohibited from asking anyone for help.
> I do not think it is hard to read as "The government is not allowed to collect information on people without warrants and without due probable cause."
It might be easy to read it that way, but that doesn't make your rephrasing a correct characterization of the writers intent. The 4th has never prohibited the government from collecting public information, information volunteered by the public, anything they observe in the course of their duties, or literally anything else that isn't compelled. The government has always collected these types of information, both now and at the time that this was written. The writers were aware that police need to collect information in their own investigations, and from other people, to do their job. This is why they specifically wrote what they did, and did not write your rephrasing.
> What a person knowingly exposes to the public, even in his own home or office, is not a subject of Fourth Amendment protection. But what he seeks to preserve as private, even in an area accessible to the public, may be constitutionally protected.
Right, phone booths do not have any rights under the 4th. And if Charles Katz is in a phone booth, he expects the conversation to be as private as speaking in a phone booth is. But if Charles Katz gambling partners at the other end of the phone decided to snitch on him, that's legal for them to do, even if Charles Katz didn't want them to.
Make no mistake, Justice Potter is definitely not saying "if you tell someone about a crime, it's illegal for them to snitch". He's saying that there are situations in public spaces where privacy from direct government surveillance is expected. Phone booths, bathroom stalls, changing rooms, etc. These are public spaces with some expectations of privacy. But there's nowhere, anywhere, that other people are prohibited from talking about you to the police.
> The government (or "friend") creates a private corporation. Private corporation does everything that the government cannot do without getting a warrant. Private corporation then gives the information to gov. How is this not a loophole?
Because the government has a monopoly on the use of force. If people working for a private corporation searched or seized information from others by force, it would be a crime. Data brokers do not use force to obtain their data. There is no search or seizure happening when you volunteer your data to a data broker or their affiliates.
"Rights" - even those enshrined in the Bill of Rights - are trampled on daily.
Try traveling with a concealed firearm across state lines. Or telling a K-9 police officer they can't search your car after the dog has alerted. Or use your free speech privilege to spread alleged vitriol.
There's no such thing as "rights" - only what individuals can defend in the current place and time they're in.
Or simply having the audacity to travel on an airplane.
> There's no such thing as "rights" - only what individuals can defend in the current place and time they're in.
I suppose that is the way it always has been. When the government was small people just didn't care what they were up to. The people became complacent and allowed a beast to grow. If the rights we are supposed to have keep getting trampled on revolution is inevitable. It may take a long hellish time to happen but that is one fork in the path we are on.
> It seems to me that the government accessing, even if by purchase, information
> of citizens without probable cause is a violation, if not in letter, then in
> spirit, of the fourth amendment.
On the one hand, I fully agree. On the other hand, I also agree with the intuitive argument that it's very strange to let private corporations surveil and gather, buy, and sell information about citizens to exploit for profit, but then say that the government can't buy that same information for law enforcement and national security.
It feels wrong to say that it's fine for someone with only a profit motive to use private data in small, petty ways to extract more profit from someone that's already paid them, but that the duly elected representative government can't use it for big, important things. Or, if law enforcement and national security are too fraught, what about, say, public health policy?
The obvious answer is that corporations shouldn't have access to it either, but that's a much harder sell, and so we're in this weird limbo.
> It feels wrong to say that it's fine for someone with only a profit motive to use private data in small, petty ways to extract more profit from someone that's already paid them, but that the duly elected representative government can't use it for big, important things.
We make this distinction all the time in areas like speech and searches, for good reason. The government is the only entity with near-omnipotent power over you. Corporations may be powerful, but they are ultimately restrained by the government’s monopoly on force; the government has no such restraints because it has the monopoly on force. It’s therefore reasonable and prudent to have different, more stringent rules for the government. If someone working for a corporation doesn’t like you, they can’t kill or imprison you (legally). Not so for the government.
With that being said, whether or not anyone at all should be allowed to collect or use this data is also a totally valid topic for discussion and disagreement.
I hate that, but that's for the greater good. We could prevent virtually all crime if we were all required to be under video, GPS, and audio surveillance at all times and only be permitted to leave your home to go to work or shop for basic goods, otherwise face a lifetime in prison. However, that goes against common sense and agreed upon basic human rights. You should be free of government/police surveillance unless there is a warrant with very specific and limited conditions and parameters, I feel that is the spirit of the 4th amendment and bill of rights in general.
It seems to be coming out that DNA evidence is not as reliable/accurate as we have been led to believe, so yes if the evidence was illegally obtained and of questionable veracity then we should release anyone who was convicted as a result.
If blame for the whole situation is required, blame the overzealous prosecutors who raced ahead with flimsy, pseudo-scientific evidence.
I don't think that they used the DNA from the databases to convict the people in these cases. I think it was more like this:
• They've got a serious crime, like a serial killer, but no real suspects. They do have some DNA that is almost certainly from the criminal but it does not match any DNA they have on file.
• Years later they compare that DNA to DNA in some large DNA database that is not focused on criminals.
• There are no matches that indicate that the criminal's DNA is in that database, but there are several matches that indicate people who are relatives of the criminal.
• They can then look at assorted public records to find people who are related in the right way to some of those relatives.
• Among those people, some previous person who either never was a suspect originally or a very weak suspect comes up. They then take a thorough look at any records can find about that person's activities at the times of the crime and find that they were actually connected to most of the victims and in the right places at the right times to be the criminal.
• That gives them enough evidence to compel a DNA sample from that person, or they start watching the person and get a DNA sample from something like a discarded napkin or cup that the person unwisely discarded in a public trashcan. That sample matches the samples from the crime scene.
• It is that latter sample, and the records of the person's activities and relationships with the victims, that form the bases of the conviction.
The point is they absolutely shouldn't have the ability to do blanket searches of DNA banks. That was my point. If they have a warrant for a killer's DNA and that person has sold DNA to 23 and Me then fine, go check his particular file. That would be kind of pointless since they could just force that person to give up their DNA with a specific warrant, but whatever. They should not be able to do pattern matching on the whole DNA database to fund an unknown killer. That would be violating my 4th amendment and 5th amendment rights because they don't have a warrant to check my DNA
basic interpretation of the 4th amendment. It's basic logic. The Bill of Rights was written for a reason, and written to be understood easily by everyone, rather than needing to dig through thousands of lines of laws and legal precedents that only lawyers could interpret.
> It seems to me that the government accessing, even if by purchase, information of citizens without probable cause is a violation
The fourth amendment is a prohibition on UNREASONABLE searches and seizures. What possible definition of "reasonable" would exclude "legally purchased on the open market"? What other perfectly reasonable techniques would you deny to law enforcement? Should they not be able to look at someone's LinkedIn? Look up their address in a phone book?
No, the constitution isn't going to protect you from the government doing what everyone else can. If we want this stuff not to be available for sale, we should regulate it.
Wyden's letter[1] is a lot more targeted than the Techdirt article. The letter says this:
"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,"
and refers specifically to an FTC order[2] that prohibits the government buying data from a specific shady broker (X-Mode Social).
He summarizes the letter on his own site without the editorializing that honestly I love so much about Techdirt.[3]
On a side-note, according to Wyden, 'Through this case, the FTC announced that Americans must be told and agree to their data being sold to “government contractors for national security purposes,” for the practice to be allowed.' I don't know how that's enforceable given how many hands user data goes through. Most organizations that suck that data up sell it to several third parties who can then sell it to whoever they want. All the NSA has to do is go a few steps down the chain.
So it doesn't matter. The NSA will continue, as you noted, to lawfully buy this data from third parties who are slightly less sketchy than X-Mode Social (what a name) and the FTC's toothless rule won't change a thing.
Who are you more concerned about being able to query your LexisNexis report, the NSA or the domestic terrorists?
Unfortunately many (most?) people on here are in the advertising/data merchant business. You will never convince someone to understand a thing if their livelihood depends on them not understanding it.
I don't know about the rest of you, but when it comes to
- Having enough money to retire into a dystopian hellhole that I spent my younger years creating
- Making some hard decisions now so that I can have an average life in a functioning society later
I'd prefer the latter. But conveniently, it's not HN that we need to convince to reign in advertising, it's the House and the Senate, and their voters are plenty suspicious of "big tech" whatever that is.
And yeah, much more worried about the NSA than terrorists.
> No, the constitution isn't going to protect you from the government doing what everyone else can.
That's actually it's literal intended purpose as far as I can tell. For example, my employer can make certain demands of my speech or otherwise punish me for my expressed opinions, while such behavior is explicitly forbidden from the government by the constitution.
That's true of the text of the first amendment, because that part is clear and unqualified ("congress shall make no law") as clearly the framers felt it was important not to be misunderstood.
Why do you think the word "unreasonable" is even in the text of the fourth then, if not to clarify that the government IS allowed[1] to do normal/legal/reasonable/whatever research?
I'm not saying you shouldn't be offended that this stuff is being gathered about you. I'm saying the constitution isn't going to protect you and you need to vote for candidates (Wyden's an excellent one!) who will pass laws to do that.
[1] Because of course it is. Again, police work requires information gathering!
While I get your point, the constitution is fundamentally _about_ hamstringing the government in ways you're fully allowed to privately contract away. It's about saying the government may pass any and all laws within these guidelines -- that's why you can shout fire at the top of a mountain and nobody cares, but in a privately owned theater it's not a free-speech issue.
Or something like that - point is, if it wasn't doing anything wrong, why was it obscuring that fact through classification and NDA's until now - when as you say - it's public data that the government would (in your theory of constitutional law) be entitled to purchase?
Going a step further, they can just pay another middleman to do the analysis and write up reports to generate information to execute reasonable searches and seizures.
That might be a good move, because this government is feeling kind of stale, but I think we'd pretty quickly realize that free markets want some things that are worth preventing and a government would emerge to keep them from turning all roads into toll roads and other such excesses.
I see your point. Data collection is required to some degree to, e.g., prosecute criminals. Any agency tasked with law enforcement would use all means at their disposal to do that, and legally purchasing data on the open market does seem reasonable. I agree with you that the Constitution and laws as they are today are unlikely to find any issue with the practices in place. However, my interpretation of the spirit of the fourth amendment is that Americans should not have to tolerate their government (or its agencies) infringing on their privacy unless they are suspected of having done something wrong, which is why the purchase of data from data brokers seems wrong to me.
Personally, I would deem such means permissible to investigate someone suspected of having committed a crime. Where I find issue is the widespread use of such techniques to monitor for crimes, since they come at such a large cost to personal privacy, and are searching for a needle in a haystack. Millions will have their privacy compromised so that maybe a single criminal can be caught, and personally, that cost is too high. I understand some folks might disagree that, but I hope Sen. Wyden, and others who join forces with him or follow him, will continue to represent that idea, and pursue legislation to codify it in law.
I doubt it. The data collected by brokers is going to all be indemnified by whoever collected the data. If they have all have posted privacy policies that include data collection and dissemination then it's fair game. I'm not sure the policies would even need to be airtight so long as the NSA and data brokers acted in good faith that they believed the policies were sound.
That and the third amendment for stationing a "soldier" (tracking and data collection) in our home (phone). And it needs to be extended to monopoly involuntary "private" entities with known federal sweetheart deals.
Many people live well and successfully, myself included, without being addicted to technology like the phones described. It's called discipline and self-control (and reading comprehension for the ToS).
You're not wrong, but the implied solution of no data brokers is gonna be a bad thing.
The information is out there, it's stupid easy to correlate and collate it. It's even easier to use that to do something profitable.
Getting rid of data brokers, making them not exist just makes a gray market for the information, one that is just as lucrative and is going to be untaxed and unregulated.
641a was the moment privacy died. We're not getting it back. We need to come up with a better method/idea...
We need data collection laws similar to HIPAA breaches that render data collection akin to storing nuclear waste. I'd like to see this apply to aggregate data mining too, so we can get rid of things like the Topics API.
HIPAA allows your medical information to be widely shared without your consent. It just requires the many holders of the data to implement some security controls.
There are multiple problems here, but only one of those problems works for the US people. It's clear to me which problem should be most easily addressed with the highest impact for the effort.
We're talking about the difference in trying to influence arbitrary third parties behaviors and the difference in trying to influence the behavior of your own employees.
I don’t really understand why it’s so much more controversial that agencies are buying commercially available data than that the data is being collected and made available to anyone that will pay in the first place.
well, first, companies having this information is inherently not ok to the average person
Second, agencies are purchasing this information with taxpayer money. So we're feeding a market that we may not agree with
Third, government agencies have rules, and when these agencies skirt around the rules or find loopholes, it has a negative effect on that agency. Generally, a population wants their government to have a good reputation and agents of the government are following the rules.
Fourth, and I think this may be the most important: government agencies have the authority and power to do things private companies cannot. government agencies can launch investigations, get legal advice from prosecutors, indite, get warrants, supena, arrest, detain, etc. All are invasive, expensive, and may result in a range of bad things (from paying lawyer costs all the way up to prison).
> well, first, companies having this information is inherently not ok to the average person
I sincerely disagree. The average person doesn't care. They should, but they absolutely do not. Don't fall into the hn-bubble trap.
> Second, agencies are purchasing this information with taxpayer money. So we're feeding a market that we may not agree with
If I had a nickel for everything the government did with my money that I disagree with I could quit my day job.
> Third, government agencies have rules, and when these agencies skirt around the rules or find loopholes, it has a negative effect on that agency. Generally, a population wants their government to have a good reputation and agents of the government are following the rules.
Generally, a population just wants to be "fat and happy" and secure. You're falling into the HN bubble trap again.
> Fourth, and I think this may be the most important: government agencies have the authority and power to do things private companies cannot. government agencies can launch investigations, get legal advice from prosecutors, indite, get warrants, supena, arrest, detain, etc. All are invasive, expensive, and may result in a range of bad things (from paying lawyer costs all the way up to prison).
The last step of the journey we're on is when individuals taking steps to limit the data collected about them by corporations are charged with obstruction of justice because the government cannot buy enough data about them.
The government is supposed to play by different (more constrained) rules because it has a monopoly on force.
I don't know what the legality of the NSA buying private data is, but it feels like it violates the spirit of the law that says they shouldn't be spying on their citizens.
We can set whatever rules we want for the government. Whether the information is available on the open market doesn’t matter. Government isn’t a force of nature. We could say the government is only allowed to buy data on a Friday the 13th during a full moon if we want.
>We can set whatever rules we want for the government.
But that's not what was discussed. The comment I replied to was talking about "the spirit of the law", which is separate from what the law ought be today.
They can only operate as such because the state turns a blind eye. It is no coincidence that they tend to be hired by parties that have tremendous political influence, act much like private police, and have an extremely cozy relationship with the actual police.
In short, the government is special because of its broad sweeping power to make laws that impact everyone. For example, consider the first amendment: "Congress shall make no law...abridging the freedom of speech". This applies to the government but not, say, to a third grade classroom rule against using curse words. It's perfectly reasonable for a private group to ban certain kinds of speech because if you don't like it, you can go somewhere else. But much more care must be taken when you're operating in the sphere of laws and government actions.
Another way to put it...the government is the only entity in society with a monopoly on the use of force. With great power there should also be a great degree of responsibility.
It should be obvious. The government can use information to prosecute people. Corporations can't. The government is much less accountable than corporations for malicious behavior due to sovereign and qualified immunity.
> Credit report crashes 400pts due to them finding what you said on a forum when you were 14
> no judge, jury or trial
> try to live in America
I'd argue corporations persecute people far more often than the government does. e.g. when credit bureaus find out you have cancer your credit score drops at least 100pts.
The simple fact is the Constitution is there to protect you from the Government. I personally think the government can basically shoot you in the face without repercussions and not face much of an issue with the right coverup; it's a lot harder for corporations to get away with that in any legal way. Sure they can ruin your reputation via credit or whatever, but they can't pitch you in a dark cell for forever, nor do they really have much incentive to do that, unlike the government. Corporations are not the government, if you want to limit their powers then get laws passed that are a mirror of the constitution except for corps instead of the government; until then you can't say corporations and the government are the same or that corporations are as bad as the government.
Examples can go back and forth. Government can unilaterally confiscate your property via civil asset forfeiture and make you prove it was obtained legally.
Not to mention the government is the one licensing the banks to create money through fractional reserves/the reserve ratio. That's why you're on an inflation treadmill where assets are constantly inflating in price to the point where you need a loan to make big purchases.
> One current federal prosecutor learned how agents were using SOD tips after a drug agent misled him, the prosecutor told Reuters. In a Florida drug case he was handling, the prosecutor said, a DEA agent told him the investigation of a U.S. citizen began with a tip from an informant. When the prosecutor pressed for more information, he said, a DEA supervisor intervened and revealed that the tip had actually come through the SOD and from an NSA intercept.
The problem did not occur at the NSA, because the NSA is not law enforcement, but at the DEA which is law enforcement. The DEA should have applied for a warrant and immediately notified their attorneys of the evidence source.
That's true, but the federal government has a limited number of things it can do, as specified in our memorandum of understanding between the people of the united states and the federal government. That ought to be the framing under which all federal actions are seen.
To put it another way, for individuals, unless something is illegal, you are entitled to do it. Whereas for the federal government, everything is illegal except that which was made legal.
Congress necessarily delegates some tactical authority to the agencies it creates and funds under the executive branch. Once we find out one of those agencies is doing nasty shit , like purchasing citizen’s data, the question for me is who do I complain to? The current president isn’t going to side against his IC otherwise he’ll get figuratively or literally Dallas-ed. Congress 503s after midterms. The courts are going to say “whatever LOL! what standing do you have?” If I dislike what the IC is doing, what should I do?
Private corporations can't imprison you (well not without government blessing) and take away your basic freedoms, the government can. Also, the Bill of Rights & Constitution is by and large meant to protect you from the excesses of government and not private citizens, regular laws are meant for that, mostly at the state and local level. That's always been the legal distinction in the USA
They don't want the govt to be able to do that but they also don't want to cut off the money faucet for data brokers.
Personally, I think that if data brokers have it then it is essentially public information. What makes the public information from data brokers different from other public information like your address?
Idk, I get your point but... Imagine a world where I could visit a site or ask a gpt to use the only thing I know about you, your apparently obfuscated HN username, and then I could track you in real time. Because it knew your username’s IP address, which then knew your phone, which then gave me a feed of your gps coordinates, which then gave me live video/audio of any networked camera/smart home device you were in view of. There would be very little shadow over you that people couldn’t watch, or record for future scrutiny. Your employer, business associates, religious groups, neighbors, etc would know everything about you. This is just the tip of the iceberg, your search history and porn viewing preferences and everything else you consider private would then be connected to the username you hide behind.
That would be a bit creepy but I wouldn’t be surprised at all if NSA had the data to build this capability. Money seems like a decent but exploitable way to keep all this data from being stitched together privately
Because the government is doing this specifically to evade controls that are supposed to help keep us safe from governmental abuse.
But I do agree with your premise: it's a travesty that this data is collected and made commercially available without informed consent in the first place.
It's not the action of buying the data, but the action of buying data on people you're not supposed to spy on, plus the technical capabilities of the NSA which raises the question of what the heck are you doing all this data plus the data you collect covertly with methods you don't tell, and what are the consequences of this on personal, national and community level?.
My guess is that domestic spooks buying the data is a threat to many people's "Just Pretend"-privacy armor. If Larry's Lawn Care, Esther's Escort Service, and 47 assorted mafias and criminal gangs buy my data...well, other than more spam, what are they actually gonna do with it? (Or so I can tell myself.) Vs. the FBI & local cops & such might dig through my data and [danger music] find something, or start doing creepy targeting of me, and they are the law, with power to do whatever they want...
Your "anonymized" cell phone GPS data can be used pretty easily to determine when you're not home for purposes of burglary.
Your household size and firearm preferences data can tell a rapist how easy of a target you will be.
Your genetic information can be used by insurance companies to secretly deny you coverage for pre-existing conditions, even though this is illegal.
Your genetic information could also cause you to be targeted by racists.
Your sexual preferences could be used against you as blackmail if the government or cultural moment shifts away from tolerance and they become unacceptable.
Your purchasing habits could cause you to become a prime suspect for a terrorist who used those same items in your area for a recent attack, like if your wife was buying a pressure cooker while you were buying backpacks for your kids doing back to school shopping.
I know a lot of these sound crazy, but consider this: the fact that they sound so crazy would itself make you sound less believable to others if anyone ever did victimize you any of these ways, furthering their odds of being able to perform that successfully without repercussions.
> Your "anonymized" cell phone GPS data can be used pretty easily to determine when you're not home for purposes of burglary.
Please - PLEASE - find me ONE example of a home burglary occuring under these circumstances.
> Your purchasing habits could cause you to become a prime suspect for a terrorist who used those same items in your area for a recent attack, like if your wife was buying a pressure cooker while you were buying backpacks for your kids doing back to school shopping.
This is just beyond nuts. Stop watching so much television, it's not good for your mental health.
>Please - PLEASE - find me ONE example of a home burglary occuring under these circumstances.
Likely not possible. By definition, these would be successful burglaries that happened when owner was not home and perpetrator was likely never caught.
Remember, the close rate on burglaries in the US is in the low teens - 13% as of 2022[1], and by definition, these were the dumb perpetrators that got caught - the 13% least competent||lucky of all home burglars.
Buying a pressure cooker and a backpack causing you to be suspected of terrorism is nuts?
Oh, you sweet, sweet, naïve summer child. This isn't fiction, it's a story from real life that's happened many times. A cursory search engine query shows numerous examples of this, e.g. this one[2] that happened over a decade ago!
I can't force you to be rationally worried about entirely plausible risks, just keep in mind that your irrational lack of concern for such possibilities only puts yourself at risk.
If I had to hazard a guess, I'd guess you're politically likely to be progressive/left wing. Do you know that's empirically correlated[3] with having less mass in your amygdala, the part of the brain responsible for evaluating threats and risks?
Several personal insults and as for evidence, a single "Long Island woman claims" allegation from ten years ago. Plus a political derangement twist - how exciting!
It is fascinating how insecure a person like you is capable of being degraded to by the same systems you so vehemently decry. It's analogous to being afraid of everyone on the street because they might have a black belt in martial arts.
My sense is that you did not read the comment I was replying to, and overlooked both disclaimers in my reply:
>> "Just Pretend"-privacy
>> Or so I can tell myself.
I am perfectly aware of every fact you noted. Repeating those facts on HN educates no one, and does nothing whatever to address the question in the prior comment.
Because Americans are so terrified of government that they can be completely okay with something terrible as long as it's private corporations doing it (and so, theoretically, you have the ability to not be a customer of that corporation) and not the government. Even if in practice your data is still being collected by that corporation indirectly or all of their competitors are also collecting and selling your data.
>Because Americans are so terrified of government that they can be completely okay with something terrible as long as it's private corporations doing it
That's not it. I think it is perfectly reasonable to set up a government with constraints and a culture of respect for the citizenry. It isn't about trust or no trust in 'government', because government is made up of individuals, and individuals have all kinds of motivations. I generally trust the government, but I am aware that any specific policy or decision can be a corrupt action for the benefit of some individual within the beurocracy.
Private corporations in America regularly go bankrupt, lose tons of money, go out of business, go defunct, etc. The government does not. It's just not the same thing at all. Private corporations can be dissolved by government action. They can be handled much easier than the government.
Not forcibly dissolved, but as we've seen with COVID and the recent 'woke' stuff, the public collectively punishes corporations they don't like. Even facebook is seeing a mass exodus from the platform after the election fiasco in 2016 and the ensuing controversy (which was around data privacy).
> It’s completely capable of engaging in domestic surveillance. And, indeed, it often does! So why would it need to purchase something it can obtain (more legitimately[?]) from its own dragnets and risk having part of its collection techniques exposed?
I don’t think the NSA needs to worry about adversaries learning the technique of exchanging money for information. Hacking the data brokers would cause more potential exposure of proprietary techniques.
I wish in the US we had some form of privacy protection as in the EU. What the EU has is not perfect, but I wish we had it.
My understanding is that one man, Senator Chuck Schumer, blocks any meaningful privacy legislation in his committee. A one man privacy wrecking ball. I read somewhere that his two daughters have high paying jobs at, I think, Meta and Microsoft.
EDIT: my point is that if we had better privacy, then corporations would have less information to sell.
> one cannot leave commercial data brokers unmonitored by agencies
That’s a feature haha. The largest lobbies are banks and organizations using those data brokers. The government leaves them alone, so they too can use them. It’s a way around laws.
The issue is that it’s the NSA, they’re not supposed to be investigate US citizens. They are supposed to be foreign signals intelligence.
I’d fully expect the FBI or CIA to do this. I’m not even sure it’s wrong for them to do that. At least no more wrong than anyone else that buys it in order to advertise you.
That’s not completely correct. The CIA has the least reason to access this data as they are only charted for intelligence collection outside the US. The FBI is law enforcement so they cannot touch or view any of that data without a warrant else they could invalid all manners of data collection in many open cases.
The NSA is chartered to collect data on communications entering and leaving the US. Decades ago that was completely unambiguous but less so now. Their collection of data on Americans is not illegal depending upon what they do with it. That was the most revealing part of the Snowden releases: insider threats misusing NSA data collected on Americans for personal use.
> The FBI is law enforcement so they cannot touch or view any of that data without a warrant else they could invalid all manners of data collection in many open cases.
This is just plain false. It is a long-held idea in American jurisprudence that information given to law enforcement by third parties can be used so long as that information was not collected under the direction of the government. https://en.wikipedia.org/wiki/Third-party_doctrine
I think many people would take issue with the claim that most information is given voluntarily. How many people even know that their car connects to cell towers, which allows for location tracking, let alone who actually volunteered for it?
>How many people even know that their car connects to cell towers, which allows for location tracking, let alone who actually volunteered for it?
The bigger problem is that cars are required by law to have unique identifiers prominently displayed (ie. license plates), so you had very little expectation of privacy to begin with. Even if your car wasn't connecting to cell towers, a network of license plate readers can figure out your location, and it's unclear why consent would be needed in that case.
That's the whole premise of automation and drag net though, no?
Sure, it is absolutely legal for a private investigator to park their car outside my home and follow me as soon as I leave and go anywhere in public. They can write down this information and keep logs. However, should it be legal to automate this for everyone?
I'm not asking whether it is legal but rather should it be.
In this case the information is not provided to the government. It is purchased. The distinction is the difference between an unexpected gift versus an overt act, and thus a search warrant would apply in the context of the FBI.
> The distinction is the difference between an unexpected gift versus an overt act, and thus a search warrant would apply in the context of the FBI.
Why would buying information you have no right to privacy for require a warrant? Police do not need warrants for generally publicly available information, and if anyone can buy this information why not police? Similar to how police do not require a warrant when they ask a phone company for records and the company just gives it to them without question.
If police ask you to search your house, you could let them or you could tell them to come back with a warrant but if you let them they can use what they find.
That is an irrelevant argument. With regard to the fourth amendment all that matters is whether the government is using that information to harm or detain somebody. It does not matter how much value you place upon that information or whether anybody should have it or not.
NSA are not law enforcement, so comparing the NSA to law enforcement results in absurd conclusions.
We need to change the legal premise that entities have the right to give up data they've collected on people without the express informed consent of those people, no matter who those entities want to give that data to.
People are consenting to this, that’s the issue. We need to change data privacy laws in general, the government buying it isn’t the real problem here it’s that it is for sale at all.
No this doesn’t matter, they aren’t forcing these companies to collect data they are buying data these companies collect as their business model and thus it is completely legal.
It is perfectly valid for the NSA to buy that data, because the NSA cannot use that data in a way that violates the fourth amendment without breaking other laws.
If the FBI buys that data they need to have probable cause prior to that purchase else all the purchased information and everything resulting from that information cannot be used to prosecute cases. The reason is because defendants have a legally established expectation of privacy on certain electronic communications such as email.
> The FBI is law enforcement so they cannot touch or view any of that data without a warrant else they could invalid all manners of data collection in many open cases.
Good faith discovery requires that the receiving party was ignorant of the malicious behavior of the collecting party, thus suggesting the receiving party formed a warrant in good faith. A good defense attorney would get that tossed. The primary legal theory to bypass an improper collection is inevitable discovery which does not apply here.
The Snowden leaks came out on 2013, it has been known since then that data collected in this manner is used against US citizens in the manner I described in the above comment despite your assertions to the contrary.
I cannot imagine not being furious about both, simultaneously.
That being said, one of these is the culmination of tens of thousands of tiny consent violations made by hundreds or thousands of immoral, largely anonymous villians.
The other is one enormous and brazen violation of the constitution, made by a government organization which is funded by citizens to protect and serve them.
Both violations warrant the strictest repercussions.
What I don’t understand is how they tie data to a specific human in meatspace. Like my car - I own it but if you drive it, you get the speeding ticket.
But with data - sure this post is from a meatspace device registered in my name / but does not indicate I am the actual meatspace person using it.
Consider public IP addresses. Geolocation can link an IP address to a region as imprecise to a country to a more precise region such as a city. Combining rough location to a few other data points can greatly narrow down meatspace candidates for a particular account [1]:
> According to one landmark study, these three characteristics are enough to uniquely identify 87% of the U.S. population. A different study showed that 63% of the U.S. population can be uniquely identified from these three facts.
If you have a significant online presence, your gender or age might be revealed by the way other users address you on some website. If a website happens to collect gender or birthday, then the website might share/sell the info to data brokers.
If police manage to narrow down the location of a potentially incriminating online action to a household, then the police could physically show up with a warrant and ask about who was using which computer in the house at that time.
Oh for sure. I don’t disagree - it’s just so.. easily “faked” too. Nothing is anon but also nothing short of me showing a cop looking over my shoulder is proof positive.
This is what Facebook was also doing. They were buying data from any website they could. (They made data buying a profitable thing because they knew they could use that for ad serving.)
If the US govt, if intelligence agencies are doing the same, are we calling this "illegal" or wrong? If so, why? If the US govt were to be doing this with a healthy dose of govt reach, then it would be a violation of law. But they are buying what is already available.
What are Apple and Google doing to protect their Android and iOS devices from these data brokers? Or are they just allowing and making it easier for them? Why give apps the power to do these things, why not give the power to the person who bought with their hard earned money these devices - why not let them choose whether to allow an app to grab all the data they can?
This is not new. As an example, the US Department of Homeland Security has been known to use Web of Science to help them identify foreign born researchers working in the US tied to their home country militaries.
Why is this a surprise? If the NSA et al is willing to break the law or at least bend it (a la Snowden revelations) why wouldn't they do something that is well within the law?
Making selling personal information illegal solves this problem. If there is no profit motive to collecting the data most companies will just not collect it.
Trading illegal drugs is illegal, but entire black markets still exist for that purpose. Monitoring illegal transactions that have no physical footprint (unlike drugs) is very difficult.
2) This is a wonderful "Hacker-ish" approach to the problem: Pollute the Database! My fear is that in the real (ie non tech-hacker) world, whatever false data my dbPollution script put into the table dedicated to me would be used to target me, and that the argument "No, I didn't make [suspicious searches 1, 2, and 3] - this tool designed to make Law Enforcement's job harder did!" would not be a winning argument with a) Judges, and b) a jury of my normie "peers".
In theory I love it; in practice, it scares the shit out of me.
This isn't a surprise, is it? It's not illegal, and this is the NSA we're talking about. The people who hacked domestic corporations for chuckles. If it's not illegal, and it's surveillance related, they're doing it.
Wyden's demand that companies stop selling our data "without consent" is political bullshit. It just means the companies have to stuff a "you consent to X" in their ToS. Which nobody reads, so nobody will push back on. Business as usual.
Not surprised in the least, and yet I probably trust the NSA with the data more than literally any other customer of those data brokers. Not that I trust the NSA all that much.
HN should maybe try engaging with this with the same urgency and focussed outrage as they would if they were told the perfidious, unreconstructed Brits were doing it.
"For example, such information is critical to protecting the US Defense Industrial Base" is not an overly convincing argument for purchasing "NetFlow"[1].
The US State department Exchange Online hack is an example of where "NetFlow" being purchased could be more interesting as an example. IP addresses such as those registered in Russia and to OVH data centres logging into State Department executive mailboxes at 3:00AM in US time zones should be laughably easy to detect.[4] Rented US virtual servers and AWS/Azure/GCP servers outside federal government availability zones would also be trivial to detect as suspicious source locations. The question that purchased "NetFlow" would help answer is what is connecting to those suspicious IP addresses, what is connected to those, what else do the chain of IP addresses found communicate with, etc.[5]
- Worst case there was no one was watching that attack as it occurred over ~4 months through use of "NetFlow" that may have been available and useful to use.
- Controversial case is someone was watching (possibly including attacker's use, if any, of US servers) and decided that it was better to keep watching and following the attackers than to immediately prevent a few State Department emails being leaked.
- Best case (not implemented) would seemingly be to fix terribly configured government systems so they can only be accessed from trusted locations and not random rented virtual server IPs, and "NetFlow" analysis is then probably not required. Security features such as "We've noticed your account is accessing this system from a new ISP--confirm this is really you?" aren't new.
I mostly agree. If I were them, this acquisition would be to augment building a baseline of traffic and patterns of life so they can better identify anomalies in the future.
It seems like a dereliction of duty for the NSA not to go to Congress and scream about needing to close this gaping flaw in the security of our nation.
Hasn’t that been pretty open since Snowden like 10 years ago?
Also, if anyone ever wonders how insidious the government is here’s food for thought — why does the US have such a crazy tax code? Quite literally all your life’s details give you small breaks on taxes - who you donated to, when you donated, why you donated. What property you own, what you did with it, new car? Is it an EV? Does it have power steering? Etc.
It would be far far easier to pass a flat tax or remove most breaks. Interesting enough, they want to track all transactions now to increase tax revenue
Because the US tries to micromanage people’s behavior through the tax code. E.g. it offers EV credits because they want you to buy an EV instead of a gas car.
I mean, I get why they would not understand it when the government micromanages companies by targeted tax breaks (called “tax loopholes”): they just hate companies and markets, and so they blame them for doing the exact thing the government wants them to do. But how can you not understand that the purpose of EV tax credits is to make people buy more EVs? That’s the whole point!