Ever since Congress voted to undo Federal Communications Commission (FCC) rules that prevented ISPs from selling internet connection records for a profit, questions have arisen about the government's underlying motivations and how it might exploit the situation to conduct mass surveillance.
Now, research at the Georgetown School of Law is helping to shed light on institutionalized governmental exploitation of private databases; used for snooping that would otherwise be legally restricted.
The research sheds light on why the US government has failed to pass strong data privacy laws and could reveal why the Trump administration voted in favor of permitting ISPs to sell internet connection records to third parties.
The details, which were first published in the Washington Post, reveal that US Immigration and Customs Enforcement (ICE), the Department of Justice, and the Department of Homeland Security all regularly leverage a commercial database that contains the personally identifiable information of over 400 million US citizens.
The information in the CLEAR database is composed of data harvested from over 80 American utility providers, and includes personal information such as names and addresses – data that Georgetown Law reveals is being used by ICE to regularly investigate immigration violations.
CLEAR breach of privacy
The CLEAR database is run by the international media conglomerate Thomson Reuters, and it contains billions of individual records that the Washington Post and Georgetown Law say are both sensitive and invasive.
Reuters sells the government access to this database because it is legally entitled to do so – a problem caused by the lack of strong federal privacy protections in the US. What it's important to remember, is that CLEAR is only one of many commercially available databases that authorities can procure under the current legal framework.
Current federal-level privacy protections date back to the 18th century and were written in the context of a completely different social paradigm. Though the laws protect the privacy of people's homes and physical belongings, they fail to prevent highly invasive data flows resulting in overreaching surveillance practices.
Members of the House Committee on Oversight and Reform understand the privacy implications involved in exploiting commercial databases for investigatory purposes. In a letter to Reuters, the committee said:
"We are concerned that Thomson Reuters' commercialization of personal and use data of utility customers and sale of broad access to ICE is an abuse of privacy, and that ICE's use of this database is an abuse of power."
Unfortunately, the entire US system is designed to permit this data commerce. This creates technical loopholes that leave US citizens in the dark about the mass surveillance that is transpiring.
The scale of the problem is alarming because the data being accumulated about consumers can reveal highly intimate details about their lives – not only directly – but also by deducing secondary inferences via technological means.
For better or worse?
What's happening with CLEAR is in no way novel and is simply further evidence that such invasive markets exist. In 2017, the Trump administration voted in favor of eliminating consumer privacy protections issued by the FCC. As a result, Internet Service Providers (ISPs) were given permission to harvest and sell users' internet connection records without seeking prior consent. This decision raises serious concerns considering Georgetown Law's findings.
On the face of it, not enforcing mandatory data retention on ISPs appears to make the US more protective of consumer privacy rights than elsewhere. The reality, however, is that US snoops could now legally gather the same information by purchasing it directly from ISPs.
In the UK, the Investigatory Powers Act predicates that all ISPs must keep detailed logs of internet connection records for 12 months. As a result, a wide cross-section of government bodies can access those records without a warrant.
Similar data retention directives in Australia, Denmark, Sweden, Germany, Brazil – and a growing list of countries – mean that the authorities can monitor everything citizens do online regardless of whether they are suspected of a crime.
These kinds of regulations are highly invasive because they allow authorities to snoop on people's web browsing habits. However, they do at least do so in a time-constrained manner that sets limitations on how long the data can be stored and accessed.
US authorities' exploitation of commercial databases permits government agencies to engage in the same kind of surveillance without that structure. This creates confusion and leads US consumers to believe that they are not being exposed to the same level of surveillance as in countries like the UK, despite the fact that they could be.
The reality is that this is just smoke and mirrors. While government agencies remain legally entitled to buy up commercial data, there is an ongoing way for authorities to access people's Internet Connection Records (and any other commercial data) without the need for mandatory data retention laws.
Routine access to commercial records for mass surveillance reveals that government agencies are actively exploiting the US' lack of strong data privacy protections to acquire the information it could otherwise not legally compile itself.
This results in an abuse of power and creates a dire need for new federal-level privacy protections. Failure to pass such laws will continue to result in people's financial records, phone records, internet records – and any other data compiled by US data brokers – being sold to the government for surveillance purposes without accountability. A situation that is ultimately worse, not better, than that experienced elsewhere.