On January 25, 2024, Senator Ron Wyden (D-OR) released documents that confirm U.S. intelligence agencies are purchasing location and other sensitive personal information from data brokers without the consent of the data subjects. The FTC has recently gone after data brokers who collect and sell the sensitive location data of consumers without their express consent, but intelligence agencies purchase information from these data brokers that they would otherwise need a warrant to obtain. Businesses must be mindful of where their sensitive consumer data is going and protect themselves from the risks of allowing this data to end up in the hands of these data brokers without strong agreements.
In a letter to the Director of National Intelligence, Avril Haines, Senator Wyden released declassified letters from the Pentagon indicating, for example, that the National Security Agency (NSA) has been purchasing Americans’ browsing data from data brokers without getting a warrant. In his letter, Senator Wyden demands that she “take action to ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.” These data brokers are operating in what he calls a “legal gray area,” as he claims both the data brokers and the U.S. intelligence community attempt to shield the public from knowledge of these practices.
In its letters to Senator Wyden, the NSA claims that certain kinds of “commercially available information” provide significant intelligence value to the U.S. intelligence community as part of its crucial national security mission, including protecting the U.S. Defense Industrial Base. The NSA admits to purchasing commercially available netflow (non-content) data related to domestic internet communications. Ronald Moultrie, the Under Secretary of Defense, stated in his letter to Senator Wyden that various agencies, including the NSA “buy commercial data, which includes information associated with phones located outside and inside the United States.”
Senator Wyden argues that “the U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal.” He points to a recent FTC enforcement action against the data broker X-Mode Social and its successor Outlogic, LLC (“X-Mode”). The FTC alleged that X-Mode was selling raw location data without obtaining consumer consent and that it had failed to put in place reasonable safeguards on the use of this information by third parties. This data is sensitive because it can be used to track visits to places of worship, domestic abuse centers, and healthcare facilities, including reproductive health clinics. The FTC order stemming from this enforcement action prohibits X-Mode from selling or sharing this sensitive location data. This is the first settlement with a data broker regarding the sale of sensitive location information.
According to the FTC, one of the ways that X-Mode collected this precise location data was through a software development kit (SDK) that X-Mode marketed to third-party mobile apps. SDKs are a collection of app development tools that mobile app developers can use to enable various features or functions within a mobile app. These tools may also enable transmission of data from mobile apps in which they are embedded, including personal data. To incentivize mobile app developers to incorporate the X-Mode SDK into their apps, X-Mode promised them passive revenue for each mobile device that allowed the SDK to collect location data. The FTC alleged that X-Mode had provided app publishers and others with incomplete or misleading notices about their data practices, and failed to verify that the publishers were obtaining consent to grant X-Mode access to their sensitive location data.
This highlights how the use of third-party SDKs creates a risk for mobile app publishers that personal data may be disclosed to the SDK provider and others and used by those recipients in ways the publisher does not expect. This can lead to liability and compliance risks should these disclosures and uses not align with the mobile app provider’s privacy policy or applicable legal standards.
There are several steps companies can take to protect themselves from these risks. First, companies that publish mobile applications must ensure they understand, at a technical level of detail, what data flows originate from their applications via SDKs and other third-party tools. Second, businesses should enter into agreements with service providers that restrict the use of consumer personal information to that which is necessary to perform the services and otherwise align with legal standards for service provider agreements. Third, businesses should consider what level of transparency may be required, or even if not required, what level is advisable from a consumer relations and brand reputation standpoint, and whether there is a need to obtain consumer consent.