Patrick Walsh
Originally published at blog.ironcorelabs.com.

Welcome to the Revolving Door of Personal Data

The U.S. government requires a warrant to snoop on citizens. Except when they can get that data by asking a commercial entity who willingly or for a fee gives up that data. So what happens when the government sells data to commercial entities who sell that data back to the government in an epic bypass of the 4th Amendment? Nothing happens. And that’s the problem.

Allow me to connect the dots for a moment.

Third-Party Doctrine

I’ve written before about the Third-Party Doctrine and other scenarios where warrants aren’t required:

https://blog.ironcorelabs.com/how-the-4th-amendment-is-bypassed-8b565fbdfa38

As a quick summary: The doctrine is based on a 1967 Supreme Court ruling that says you forfeit the “reasonable expectation of privacy” when you “give” your data to a third party, like when you use the phone company’s service to make a phone call. AT&T’s Hemisphere Project sells the location data and phone call metadata (who called who, when, and from where) to law enforcement without a warrant. There are numerous other examples.

“Public Data”

Some records are public, and new privacy laws like California’s Consumer Privacy Act (CCPA) explicitly exclude that data from protection. For example, real estate ownership data is available for anyone to search.

But other data is more sensitive and not publicly searchable, yet it’s available for sale. For example, DMV driver license data is being sold by California to private companies, private investigators, and others:

https://www.vice.com/amp/en_us/article/evjekz/the-california-dmv-is-making-dollar50m-a-year-selling-drivers-personal-information

(Hat tip to Joseph Cox for that terrific reporting.)

Facial Recognition Databases

A recent New York Times article on a secretive facial recognition company called Clearview AI is alarming on a number of fronts. That law enforcement is using facial recognition is not news though. We knew in 2018 that federal law enforcement had a facial recognition database with 117 million adults in it. What’s different here is that that database was held by law enforcement and they had to exercise extreme care and checks and balances to use that database in a way that could be admissible in court.

The database that’s being held by Clearview AI (and perhaps by other companies who are also stealthily selling this sort of data), however, bypasses the usual warrant protections. When a third party sells the data to law enforcement, there’s no need for warrants. And under the Third-Party Doctrine, it’s admissible.

Now suppose you’re a company that’s trying to build a database of reliable associations between faces and names. You’ll want to get data from as many sources as possible but very few have reliable associations to names. After all, Facebook doesn’t check very hard to make sure your Facebook name is actually your name.

Are these facial recognition database companies buying up data from DMVs around the country? Let’s assume they are.

The Great Bypass

So if you’re law enforcement and you find due process and privacy protections tedious (as I’m sure is the case), then just imagine how much easier life is if facial recognition databases are held by private companies.

Government sells data to private companies. Private companies sell searches of this data back to the Government. The Third-Party Doctrine is triggered and warrants are not required. All red tape is removed and everyone* is happy.

To be clear, this is conjecture. I don’t have evidence of this happening today. And yet, as far as I know, it is so plausible as to be highly likely. If you know of laws that would stop this scenario from happening — that would make it illegal, for example, for Clearview AI (the subject of the NYTimes article) to buy DMV data and for law enforcement to use that data without a warrant — please share your thoughts in the comments.

Also, to be clear, no one outside of law enforcement and these private companies should be happy. Government should not know who people are or where they go without a compelling reason to know that information. Without such a compelling reason, that sort of information is subject to abuse for political and personal reasons.

Your Privacy at Risk

This scenario scares me deeply. How can democracy survive when the tools available to the State reach levels of near omnipotence? After all, do we want to be a society where people wear masks and carry umbrellas in order to attend a protest without fear of retaliation? Because that’s not some dystopian future scenario. That’s happening today in Hong Kong.

And if you think that can’t happen here in the U.S., it’s worth remembering that there are many ways the data can be abused that don’t involve the courts or arrest (in other words, some way to contest the data’s use). AT&T’s Hemispheres program sells data going back to the 1980’s. How might data collection today affect our chances of getting a job or an invitation to speak at a conference or a chance to win a contract with the Government tomorrow?

At IronCore, we care about data privacy. Check out our end-to-end encryption and customer managed keys solutions to see how we can help you make the world a little safer each day for enterprise software.