In 2018, the Supreme Court ruled that warrants were needed to obtain cell site location info (CSLI). That decision dealt with law enforcement’s warrantless acquisition of 127 days of location data from a cell service provider. As the court saw it, the government was leveraging access to this data to turn cell phones (which has been given heightened protections with the 2014 Riley decision) into government tracking devices, all without having to bother with warrants or deploying government-crafted tracking tech.
The rationale for this 4th Amendment bypass was this: location data slurped up by websites and downloaded apps wasn’t exactly the same thing as cell tower location data. Therefore, it could be had without a warrant. In fact, it could be had without bothering the courts at all with a subpoena or any other lighter-weight legal paperwork. The government could just buy this data and sort through it to find what it was looking for. Some third parties were even willing to do the sorting for the right price, freeing the government up to pursue other rights violations.
This option obviously experienced a jump in popularity following the Supreme Court’s Carpenter ruling. While the spokespeople constantly stated the agencies they represented (which was pretty much all of them when it came to buying data from data brokers) were super-interested in respecting constitutional rights, they never took the time to explain their “respect” meant constantly testing (or breaking!) the boundaries until court precedent forced them to do otherwise.
In 2023, anti-encryption zealot Christopher Wray was heading the FBI. During the last years of his tenure, he admitted to Congress (or, more specifically, privacy hawk Senator Ron Wyden) that the FBI was — like CBP, ICE, US Secret Service, IRS, and federal prisons — buying up as much location data as it could purchase. Wray insisted this process was “court-authorized,” but somehow couldn’t find any court documents laying around that would support his claims of authorization.
The government is still buying this data. And it’s even more problematic than it was a few years ago, when federal agencies weren’t being run by MAGA loyalists and outright racists. Now there’s a new wrinkle: the government is delving into ad markets to siphon off RTB (real-time bidding) data that’s capable of tying location data to specific devices, even if those hawking the data pretend it’s been anonymized.
When asked by U.S. Senator Ron Wyden, Democrat of Oregon, if the FBI would commit to not buying Americans’ location data, Patel said that the agency “uses all tools … to do our mission.”
“We do purchase commercially available information that is consistent with the Constitution and the laws under the Electronic Communications Privacy Act — and it has led to some valuable intelligence for us,” Patel testified Wednesday.
First, there’s the obviously false insistence that this is all very constitutional. Buying location data from data brokers doesn’t just violate the spirit of the Supreme Court’s Carpenter decision, it’s only a letter or three off from violating the letter of the law. When the only difference is where you’re obtaining long-term location tracking data, you’re just exploiting loopholes rather than actually trying to be “consistent with the Constitution.”
The second part is even stupider. When you claim that legally-questionable efforts have “led to some valuable intelligence,” you’re just saying that the ends justify the means. And if that’s the low bar you’ve set for yourself, you’re going to be violating rights regularly because you prefer harvesting data to respecting rights.
This sums up the government’s stance concisely:
The FBI claims it does not need a warrant to use this information for federal investigations; though this legal theory has not yet been tested in court.
The government — especially this one — will never err on the side of restraint. It would rather explore the outer edges of legal theory, sacrificing our rights in exchange for more government power. At some point, this legal theory will be tested. But until it is, the government is going to continue to pretend the implications of Carpenter don’t apply to anything that hasn’t been specifically ruled unconstitutional.
We’ve all had the unsettling experience of seeing an ad online that reveals just how much advertisers know about our lives. You’re right to be disturbed. Those very same online ad systems have been used by the government to warrantlessly track peoples’ locations, new reporting has confirmed.
For years, the internet advertising industry has been sucking up our data, including our location data, to serve us “more relevant ads.” At the same time, we know that federal law enforcement agencies have been buying up our location data from shady data brokers that most people have never heard of.
Now, a new report gives us direct evidence that Customs and Border Protection (CBP) has used location data taken from the internet advertising ecosystem to track phones. In a document uncovered by 404 Media, CBP admits what we’ve been saying for years: The technical systems powering creepy targeted ads also allow federal agencies to track your location.
The document acknowledges that a program by the agency to use “commercially available marketing location data” for surveillance drew from the process used to select the targeted ads shown to you on nearly every website and app you visit. In this blog post, we’ll tell you what this process is, how it can and is being used for state surveillance, and what can be done about it—by individuals, by lawmakers, and by the tech companies that enable these abuses.
Advertising Surveillance Enables Government Surveillance
The online advertising industry has built a massive surveillance machine, and the government can co-opt it to spy on us.
In the absence of strong privacy laws, surveillance-based advertising has become the norm online. Companies track our online and offline activity, then share it with ad tech companies and data brokers to help target ads. Law enforcement agencies take advantage of this advertising system to buy information about us that they would normally need a warrant for, like location data. They rely on the multi-billion-dollar data broker industry to buy location data harvested from people’s smartphones.
We’ve known for years that location data brokers are one part of federal law enforcement’s massive surveillance arsenal, including immigration enforcement agencies like CBP and Immigration and Customs Enforcement (ICE). ICE, CBP and the FBI have purchased location data from the data broker Venntell and used it to identify immigrants who were later arrested. Last year, ICE purchased a spy tool called Webloc that gathers the locations of millions of phones and makes it easy to search for phones within specific geographic areas over a period of time. Webloc also allows them to filter location data by the unique advertising IDs that Apple and Google assign to our phones.
But a document recently obtained by 404 Media is the first time CBP has acknowledged the location data it buys is partially sourced from the system powering nearly every ad you see online: real-time bidding (RTB). As CBP puts it, “RTB-sourced location data is recorded when an advertisement is served.”
Even though this document is about a 2019-2021 pilot use of this data, CBP and other federal agencies have continued to purchase and use commercially obtained location data. ICE has purchased location tracking tools since then and recently requested information on “Ad Tech” tools it could use for investigations.
The CBP document acknowledges two sources of location data that it relies on: software development kits (SDKs) and RTB, both methods of location-tracking that EFF has written about before. Apps for weather, navigation, dating, fitness, and “family safety” often request location permissions to enable key features. But once an app has access to your location, it could share it with data brokers directly through SDKs or indirectly (and often without the app developers’ knowledge) through RTB. Data brokers can collect location data from SDKs that they pay developers to put in their apps. When relying on RTB, data brokers don’t need any direct relationship with the apps and websites they’re collecting location data from. RTB is facilitated by ad companies that are already plugged into most websites and apps.
How Real-Time Bidding Works
RTB is the process by which most websites and apps auction off their ad space. Unfortunately, the milliseconds-long auctions that determine which ads you see also expose your information, including location data, to thousands of companies a day. At a high-level, here’s how RTB works:
The moment you visit a website or app with ad space, it asks an ad tech company to determine which ads to display for you.
This ad tech company packages all the information they can gather about you into a “bid request” and broadcasts it to thousands of potential advertisers.
The bid request may contain information like your unique advertising ID, your GPS coordinates, IP address, device details, inferred interests, demographic information, and the app or website you’re visiting. The information in bid requests is called “bidstream data” and typically includes identifiers that can be linked to real people.
Advertisers use the personal information in each bid request, along with data profiles they’ve built about you over time, to decide whether to bid on the ad space.
The highest bidder gets to display an ad for you, but advertisers (or the adtech companies that represent them) can collect your bidstream data regardless of whether or not they bid on the ad space.
A key vulnerability of real-time bidding is that while only one advertiser wins the auction, all participants receive data about the person who would see their ad. As a result, anyone posing as an ad buyer can access a stream of sensitive data about billions of individuals a day. Data brokers have taken advantage of this vulnerability to harvest data at a staggering scale. For example, the FTC found that location data broker Mobilewalla collected data on over a billion people, with an estimated 60% sourced from RTB auctions. Leaked data from another location data broker, Gravy Analytics, referenced thousands of apps, including Microsoft apps, Candy Crush, Tinder, Grindr, MyFitnessPal, pregnancy trackers and religious-focused apps. When confronted, several of these apps’ developers said they had never heard of Gravy Analytics.
As Venntel, one of the location data brokers that has sold to ICE, puts it, “Commercially available bidstream data from the advertising ecosystem has long been one of the most comprehensive sources of real-time location and device data available.” But the privacy harms of RTB are not just a matter of misuse by individual data brokers. RTB auctions broadcast the average person’s data to thousands of companies, hundreds of times per day, with no oversight of how this information is ultimately exploited. Once your information is broadcast through RTB, it’s almost impossible to know who receives it or control how it’s used.
What You Can Do To Protect Yourself
Revelations about the government’s exploitation of this location data shows how dangerous online tracking has become, but we’re not powerless. Here are two basic steps you can take to better protect your location data:
Disable your mobile advertising ID (see instructions for iPhone/Android). Apple and Google assign unique advertising IDs to each of their phones. Location data brokers use these advertising IDs to stitch together the information they collect about you from different apps.
Review apps you’ve granted location permissions to. Apps that have access to your location could share it with other companies, so make sure you’re only granting location permission to apps that really need it in order to function. If you can’t disable location access completely for an app, limit it to only when you have the app open or only approximate location instead of precise location.
For more tips, check out EFF’s guide to protecting yourself from mobile-device based location tracking. Keep in mind that the security plan that’s best for you will vary in different situations. For example, you may want to take stronger steps to protect your location data when traveling to a sensitive location, like a protest.
What Tech Companies and Lawmakers Must Do
Legislators and tech companies must act so that individuals don’t bear the burden of defending their data every time they use the internet.
Ad tech companies must reckon with their role in warrantless government surveillance, among other privacy harms. The systems they built for targeted advertising are actively used to track people’s location. The best way to prevent online ads from fueling surveillance is to stop targeting ads based on detailed behavioral profiles. Ads can still be targeted contextually—based on the content people are viewing—without collecting or exposing their sensitive personal information. Short of moving to contextual advertising, tech companies can limit the use of their systems for government location tracking by:
Stopping the use of precise location data for targeted advertising. Ad tech companies facilitating ad auctions can and should remove precise location data from bid requests. Ads can be targeted based on people’s coarse location, like the city they’re in, without giving data brokers people’s exact GPS coordinates. Precise location data can reveal where we work, where we live, who we meet, where we protest, where we worship, and more. Broadcasting it to thousands of companies a day through RTB is dangerous.
Removing advertising IDs from devices, or at minimum, disabling them by default. Advertising IDs have become a linchpin of the data broker economy and are actively used by law enforcement to track people’s location. Advertising IDs were added to phones in 2012 to let companies track you, and removing them is not a far-fetched idea. When Apple forced apps to request access to people’s advertising IDs starting in 2021 (if you have an iPhone you’ve probably seen the “Ask App Not to Track” pop-ups), 96% of U.S. users opted out, essentially disabling advertising IDs on most iOS devices. One study found that iPhone users were less likely to be victims of financial fraud after Apple implemented this change. Google should follow Apple’s lead and disable advertising IDs by default.
Lawmakers also need to step up to protect their constituents’ privacy. We need strong, federal privacy laws to stop companies from spying on us and selling our personal information. EFF advocates for data privacy legislation with teeth and a ban on ad targeting based on online behavioral profiles, as it creates a financial incentive for companies to track our every move.
Legislators can and must also close the “data broker loophole” on the Fourth Amendment. Instead of obtaining a warrant signed by a judge, law enforcement agencies can just buy location data from private brokers to find out where you’ve been. Last year, Montana became the first state in the U.S. to pass a law blocking the government from buying sensitive data it would otherwise need a warrant to obtain. And in 2024, Senator Ron Wyden’s EFF-endorsed Fourth Amendment is Not for Sale Act passed the House before dying in the Senate. Others should follow suit to stop this end-run around constitutional protections.
Online behavioral advertising isn’t just creepy–it’s dangerous. It’s wrong that our personal information is being silently harvested, bought by shadow-y data brokers, and sold to anyone who wants to invade our privacy. This latest revelation of warrantless government surveillance should serve as a frightening wakeup call of how dangerous online behavioral advertising has become.
The Trump administration is loosening restrictions on the sharing of law enforcement information with the CIA and other intelligence agencies, officials said, overriding controls that have been in place for decades to protect the privacy of U.S. citizens.
Government officials said the changes could give the intelligence agencies access to a database containing hundreds of millions of documents — from FBI case files and banking records to criminal investigations of labor unions — that touch on the activities of law-abiding Americans.
Administration officials said they are providing the intelligence agencies with more information from investigations by the FBI, Drug Enforcement Administration and other agencies to combat drug gangs and other transnational criminal groups that the administration has classified as terrorists.
But they have taken these steps with almost no public acknowledgement or notification to Congress. Inside the government, officials said, the process has been marked by a similar lack of transparency, with scant high-level discussion and little debate among government lawyers.
“None of this has been thought through very carefully — which is shocking,” one intelligence official said of the moves to expand information sharing. “There are a lot of privacy concerns out there, and nobody really wants to deal with them.”
A spokesperson for the Office of the Director of National Intelligence, Olivia Coleman, declined to answer specific questions about the expanded information sharing or the legal basis for it.
Instead, she cited some recent public statements by senior administration officials, including one in which the national intelligence director, Tulsi Gabbard, emphasized the importance of “making sure that we have seamless two-way push communications with our law enforcement partners to facilitate that bi-directional sharing of information.”
In the aftermath of the Watergate scandal, revelations that Presidents Lyndon Johnson and Richard Nixon had used the CIA to spy on American anti-war and civil rights activists outraged Americans who feared the specter of a secret police. The congressional reforms that followed reinforced the long-standing ban on intelligence agencies gathering information about the domestic activities of U.S. citizens.
Compared with the FBI and other federal law enforcement organizations, the intelligence agencies operate with far greater secrecy and less scrutiny from Congress and the courts. They are generally allowed to collect information on Americans only as part of foreign intelligence investigations. Exemptions must be approved by the U.S. attorney general and the director of national intelligence. The National Security Agency, for example, can intercept communications between people inside the United States and terror suspects abroad without the probable cause or judicial warrants that are generally required of law enforcement agencies.
Since the terror attacks of Sept. 11, 2001, the expansion of that surveillance authority in the fight against Islamist terrorism has been the subject of often intense debates among the three branches of government.
Word of the Trump administration’s efforts to expand the sharing of law enforcement information with the intelligence agencies was met with alarm by advocates for civil liberties protections.
“The Intelligence Community operates with broad authorities, constant secrecy and little-to-no judicial oversight because it is meant to focus on foreign threats,” Sen. Ron Wyden of Oregon, a senior Democrat on the Senate Select Committee on Intelligence, said in a statement to ProPublica.
Giving the intelligence agencies wider access to information on the activities of U.S. citizens not suspected of any crime “puts Americans’ freedoms at risk,” the senator added. “The potential for abuse of that information is staggering.”
Most of the current and former officials interviewed for this story would speak only on condition of anonymity because of the secrecy of the matter and because they feared retaliation for criticizing the administration’s approach.
Virtually all those officials said they supported the goal of sharing law enforcement information more effectively, so long as sensitive investigations and citizens’ privacy were protected. But after years in which Republican and Democratic administrations weighed those considerations deliberately — and made little headway with proposed reforms — officials said the Trump administration has pushed ahead with little regard for those concerns.
“There will always be those who simply want to turn on a spigot and comingle all available information, but you can’t just flip a switch — at least not if you want the government to uphold the rule of law,” said Russell Travers, a former acting director of the National Counterterrorism Center who served in senior intelligence roles under both Republican and Democratic administrations.
The 9/11 attacks — which exposed the CIA’s failure to share intelligence with the FBI even as Al Qaida moved its operatives into the United States — led to a series of reforms intended to transform how the government managed terrorism information.
A centerpiece of that effort was the establishment of the NCTC, as the counterterrorism center is known, to collect and analyze intelligence on foreign terrorist groups. The statutes that established the NCTC explicitly prohibit it from collecting information on domestic terror threats.
National security officials have spent much less time trying to remedy what they have acknowledged are serious deficiencies in the government’s management of intelligence on organized crime groups.
In 2011, President Barack Obama noted those problems in issuing a new national strategy to “build, balance and integrate the tools of American power to combat transnational organized crime.” Although the Obama plan stressed the need for improved information-sharing, it led to only minimal changes.
President Donald Trump has seized on the issue with greater urgency. He has also declared his intention to improve information-sharing across the government, signing an executive order to eliminate “information silos” of unclassified information.
More consequentially, he went on to brand more than a dozen Latin American drug mafias and criminal gangs as terrorist organizations.
The administration has used those designations to justify more extreme measures against the criminal groups. Since last year, it has killed at least 148 suspected drug smugglers with missile strikes in the Caribbean and the eastern Pacific, steps that many legal experts have denounced as violations of international law.
Some administration officials have argued that the terror designations entitle intelligence agencies to access all law enforcement case files related to the Sinaloa Cartel, the Jalisco New Generation Cartel and other gangs designated by the State Department as foreign terrorist organizations.
The first criterion for those designations is that a group must “be a foreign organization.” Yet unlike Islamist terror groups such as al-Qaida or al-Shabab, Latin drug mafias and criminal gangs like MS-13 have a large and complex presence inside the United States. Their members are much more likely to be U.S. citizens and to live and operate here.
Those steps were seen by some intelligence experts as potentially opening the door for the CIA and other agencies to monitor Americans who support antifa in violation of their free speech rights. The approach also echoed justifications that both Johnson and Nixon used for domestic spying by the CIA: that such investigations were needed to determine whether government critics were being supported by foreign governments.
The wider sharing of law enforcement case files is also being driven by the administration’s abrupt decision to disband the Justice Department office that for decades coordinated the work of different agencies on major drug trafficking and organized crime cases. That office, the Organized Crime Drug Enforcement Task Force, was abruptly shut down on Sept. 30 as the Trump administration was setting up a new network of Homeland Security Task Forces designed by the White House homeland security adviser, Stephen Miller.
The new task forces, which were first described in detail by ProPublica last year, are designed to refocus federal law enforcement agencies on what Miller and other officials have portrayed as an alarming nexus of immigration and transnational crime. The reorganization also gives the White House and the Department of Homeland Security new authority to oversee transnational crime investigations, subordinating the DEA and federal prosecutors, who were central to the previous system.
That reorganization has set off a struggle over the control of OCDETF’s crown jewel, a database of some 770 million records that is the only central, searchable repository of drug trafficking and organized crime case files in the federal government.
Until now, the records of that database, which is called Compass, have only been accessible to investigators under elaborate rules agreed to by the more than 20 agencies that shared their information. The system was widely viewed as cumbersome, but officials said it also encouraged cooperation among the agencies while protecting sensitive case files and U.S. citizens’ privacy.
Although the Homeland Security Task Forces took possession of the Compass system when their leadership moved into OCDETF’s headquarters in suburban Virginia, the administration is still deciding how it will operate that database, officials said.
However, officials said, intelligence agencies and the Defense Department have already taken a series of technical steps to connect their networks to Compass so they can access its information if they are permitted to do so.
The White House press office did not respond to questions about how the government will manage the Compass database and whether it will remain under the control of the Homeland Security Task Forces.
The National Counterterrorism Center, under its new director, Joe Kent, has been notably forceful in seeking to manage the Compass system, several officials said. Kent, a former Army Special Forces and CIA paramilitary officer who twice ran unsuccessfully for Congress in Washington state, was previously a top aide to the national intelligence director, Tulsi Gabbard.
The FBI, DEA and other law enforcement agencies have strongly opposed the NCTC effort, the officials said. In internal discussions, they added, the law enforcement agencies have argued that it makes no sense for an intelligence agency to manage sensitive information that comes almost entirely from law enforcement.
“The NCTC has taken a very aggressive stance,” one official said. “They think the agencies should be sharing everything with them, and it should be up to them to decide what is relevant and what U.S. citizen information they shouldn’t keep.”
The FBI declined to comment in response to questions from ProPublica. A DEA spokesperson also would not discuss the agency’s actions or views on the wider sharing of its information with the intelligence community. But in a statement the spokesman added, “DEA is committed to working with our IC and law enforcement partners to ensure reliable information-sharing and strong coordination to most effectively target the designated cartels.”
Even with the Trump administration’s expanded definition of what might constitute terrorist activity, the information on terror groups accounts for only a small fraction of the records in the Compass system, current and former officials said.
The records include State Department visa records, some files of U.S. Postal Service inspectors, years of suspicious transaction reports from the Treasury Department and call records from the Bureau of Prisons.
Investigative files of the FBI, DEA and other law enforcement agencies often include information about witnesses, associates of suspects and others who have never committed any crimes, officials said.
“You have witness information, target information, bank account information,” the former OCDETF director, Thomas Padden, said in an interview. “I can’t think of a dataset that would not be a concern if it were shared without some controls. You need checks and balances, and it’s not clear to me that those are in place.”
Officials familiar with the interagency discussions said NCTC and other intelligence officials have insisted they are interested only in terror-related information and that they have electronic systems that can appropriately filter out information on U.S. persons.
But FBI and other law enforcement agencies have challenged those arguments, officials said, contending that the NCTC proposal would almost inevitably breach privacy laws and imperil sensitive case information without necessarily strengthening the fight against transnational criminals.
Already, NCTC officials have been pressing the FBI and DEA to share all the information they have on the criminal groups that have been designated as terrorist organizations, officials said.
The DEA, which had previously earned a reputation for jealously guarding its case files, authorized the transfer of at least some of those files, officials said, adding to pressure on the FBI to do the same.
Administration lawyers have argued that such information sharing is authorized by the Intelligence Reform and Terrorism Prevention Act of 2004, the law that reorganized intelligence activities after 9/11. Officials have also cited the 2001 Patriot Act, which gives law enforcement agencies power to obtain financial, communications and other information on a subject they certify as having ties to terrorism.
The central role of the NCTC in collecting and analyzing terrorism information specifically excludes “intelligence pertaining exclusively to domestic terrorists and domestic counterterrorism.” But that has not stopped Kent or his boss, intelligence director Gabbard, from stepping over red lines that their predecessors carefully avoided.
In October, Kent drew sharp criticism from the FBI after he examined files from the bureau’s ongoing investigation of the assassination of Charlie Kirk, the right-wing activist. That episode was first reported by The New York Times.
Last month, Gabbard appeared to lead a raid at which the FBI seized truckloads of 2020 presidential voting records from an election center in Fulton County, Georgia. Officials later said she was sent by Trump but did not oversee the operation.
In years past, officials said, the possibility of crossing long-settled legal boundaries on citizens’ privacy would have precipitated a flurry of high-level meetings, legal opinions and policy memos. But almost none of that internal discussion has taken place, they said.
“We had lengthy interagency meetings that involved lawyers, civil liberties, privacy and operational security types to ensure that we were being good stewards of information and not trampling all over U.S. persons’ privacy rights,” said Travers, the former NCTC director.
When administration officials abruptly moved to close down OCDETF and supplant it with the Homeland Security Task Forces network, they seemed to have little grasp of the complexities of such a transition, several people involved in the process said.
The agencies that contributed records to OCDETF were ordered to sign over their information to the task forces, but they did so without knowing if the system’s new custodians would observe the conditions under which the files were shared.
Nor were they encouraged to ask, officials said.
While both the FBI and DEA have objected to a change in the protocols, officials said smaller agencies that contributed some of their records to the OCDETF system have been “reluctant to push back too hard,” as one of them put it.
The NCTC, which faced budget cuts during the Biden administration, has been among those most eager to service the new Homeland Security Task Forces. To that end, it set up a new fusion center to promote “two-way intelligence sharing of actionable information between the intelligence community and law enforcement,” as Gabbard described it.
The expanded sharing of law enforcement and intelligence information on trafficking groups is also a key goal of the Pentagon’s new Tucson, Arizona-based Joint Interagency Task Force-Counter Cartel. In announcing the task force’s creation last month, the U.S. Northern Command said it would work with the Homeland Security Task Forces “to ensure we are sharing all intelligence between our Department of War, law enforcement and Intelligence Community partners.”
In the last months of the Biden administration, a somewhat similar proposal was put forward by the then-DEA administrator, Anne Milgram. That plan involved setting up a pair of centers where DEA, CIA and other agencies would pool information on major Mexican drug trafficking groups.
At the time, one particularly strong objection came from the Defense Department’s counternarcotics and stabilization office, officials said. The sharing of such law enforcement information with the intelligence community, an official there noted, could violate laws prohibiting the CIA from gathering intelligence on Americans inside the United States.
The Pentagon, he warned, would want no part of such a plan.
The SAFE act, introduced by Senators Mike Lee and Dick Durbin, is the first of many likely proposals we will see to reauthorize Section 702 of the Foreign Intelligence Surveillance Act (FISA) Amendments Act of 2008—and while imperfect, it does propose a litany of real and much-needed reforms of Big Brother’s favorite surveillance authority.
The irresponsible 2024 reauthorization of the secretive mass surveillance authority Section 702 not only gave the government two more years of unconstitutional surveillance powers, it also made the policy much worse. But, now people who value privacy and the rule of law get another bite at the apple. With expiration for Section 702 looming in April 2026, we are starting to see the emergence of proposals for how to reauthorize the surveillance authority—including calls from inside the White House for a clean reauthorization that would keep the policy unchanged. EFF has always had a consistent policy: Section 702 should not be reauthorized absent major reforms that will keep this tactic of foreign surveillance from being used as a tool of mass domestic espionage.
What is Section 702?
Section 702 was intended to modernize foreign surveillance of the internet for national security purposes. It allows collection of foreign intelligence from non-Americans located outside the United States by requiring U.S.-based companies that handle online communications to hand over data to the government. As the law is written, the intelligence community (IC) cannot use Section 702 programs to target Americans, who are protected by the Fourth Amendment’s prohibition on unreasonable searches and seizures. But the law gives the intelligence community space to target foreign intelligence in ways that inherently and intentionally sweep in Americans’ communications.
We live in an increasingly globalized world where people are constantly in communication with people overseas. That means, while targeting foreigners outside the U.S. for “foreign intelligence Information” the IC routinely acquires the American side of those communications without a probable cause warrant. The collection of all that data from U.S telecommunications and internet providers results in the “incidental” capture of conversations involving a huge number of people in the United States.
But, this backdoor access to U.S. persons’ data isn’t “incidental.” Section 702 has become a routine part of the FBI’s law enforcement mission. In fact, the IC’s latest Annual Statistical Transparency Report documents the many ways the Federal Bureau of Investigation (FBI) uses Section 702 to spy on Americans without a warrant. The IC lobbied for Section 702 as a tool for national security outside the borders of the U.S., but it is apparent that the FBI uses it to conduct domestic, warrantless surveillance on Americans. In 2021 alone, the FBI conducted 3.4 million warrantless searches of US person’s 702 data.
The Good
Let’s start with the good things that this bill does. These are reforms EFF has been seeking for a long time and their implementation would mean a big improvement in the status quo of national security law.
First, the bill would partially close the loophole that allows the FBI and domestic law enforcement to dig through 702-collected data’s “incidental” collection of the U.S. side of communications. The FBI currently operates with a “finders keeper” mentality, meaning that because the data is pre-collected by another agency, the FBI believes it can operate with almost no constraints on using it for other purposes. The SAFE act would require a warrant before the FBI looked at the content of these collected communications. As we will get to later, this reform does not go nearly far enough because they can query to see what data on a person exists before getting a warrant, but it is certainly an improvement on the current system.
Second, the bill addresses the age-old problem of parallel construction. If you’re unfamiliar with this term, parallel construction is a method by which intelligence agencies or domestic law enforcement find out a piece of information about a subject through secret, even illegal or unconstitutional methods. Uninterested in revealing these methods, officers hide what actually happened by publicly offering an alternative route they could have used to find that information. So, for instance, if police want to hide the fact that they knew about a specific email because it was intercepted under the authority of Section 702, they might use another method, like a warranted request to a service provider, to create a more publicly-acceptable path to that information. To deal with this problem, the SAFE Act mandates that when the government seeks to use Section 702 evidence in court, it must disclosure the source of this evidence “without regard to any claim that the information or evidence…would inevitably have been discovered, or was subsequently reobtained through other means.”
Next, the bill proposes a policy that EFF and other groups have nonetheless been trying to get through Congress for over five years: ending the data broker loophole. As the system currently stands, data brokers who buy and sell your personal data collected from smartphone applications, among other sources, are able to sell that sensitive information, including a phone’s geolocation, to the law enforcement and intelligence agencies. That means that with a bit of money, police can buy the data (or buy access to services that purchase and map the data) that they would otherwise need a warrant to get. A bill that would close this loophole, the Fourth Amendment is Not For Sale Act passed through the House in 2024 but has yet to be voted on by the Senate. In the meantime, states have taken it upon themselves to close this loophole with Montana being the first state to pass similar legislation in May 2025. The SAFE Act proposes to partially fix the loophole at least as far as intelligence agencies are concerned. This fix could not come soon enough—especially since the Office of the Director of National Intelligence has signaled their willingness to create one big, streamlined, digital marketplace where the government can buy data from data brokers.
Another positive thing about the SAFE Act is that it creates an official statutory end to surveillance power that the government allowed to expire in 2020. In its heyday, the intelligence community used Section 215 of the Patriot Act to justify the mass collection of communication records like metadata from phone calls. Although this legal authority has lapsed, it has always been our fear that it will not sit dormant forever and could be reauthorized at any time. This new bill says that its dormant powers shall “cease to be in effect” within 180 of the SAFE Act being enacted.
What Needs to Change
The SAFE Act also attempts to clarify very important language that gauges the scope of the surveillance authority: who is obligated to turn over digital information to the U.S. government. Under Section 702, “electronic communication service providers” (ECSP) are on the hook for providing information, but the definition of that term has been in dispute and has changed over time—most recently when a FISA court opinion expanded the definition to include a category of “secret” ECSPs that have not been publicly disclosed. Unfortunately, this bill still leaves ambiguity in interpretation and an audit system without a clear directive for enforcing limitations on who is an ECSP or guaranteeing transparency.
As mentioned earlier, the SAFE Act introduces a warrant requirement for the FBI to read the contents of Americans’ communications that have been warrantlessly collected under Section 702. However, the law does not in its current form require the FBI to get a warrant before running searches identifying whether Americans have communications present in the database in the first place. Knowing this information is itself very revealing and the government should not be able to profit from circumventing the Fourth Amendment.
When Congress reauthorized Section 702 in 2014, they did so through a piece of policy called the Reforming Intelligence and Securing America Act (RISAA). This bill made 702 worse in several ways, one of the most severe being that it expanded the legal uses for the surveillance authority to include vetting immigrants. In an era when the United States government is rounding up immigrants, including people awaiting asylum hearings, and which U.S officials are continuously threatening to withhold admission to the United States from people whose politics does not align with the current administration, RISAA sets a dangerous precedent. Although RISAA is officially expiring in April, it would be helpful for any Section 702 reauthorization bill to explicitly prohibit the use of this authority for that reason.
Finally, in the same way that the SAFE Act statutorily ends the expired Section 215 of the Patriot Act, it should also impose an explicit end to “Abouts collection” a practice of collecting digital communications, not if their from suspected people, but if their are “about” specific topics. This practice has been discontinued, but still sits on the books, just waiting to be revamped.
ICE has been telling itself all it needs to do is write its own paperwork and it can do whatever it wants. Memos — passed around secretively and publicly acknowledged by no one but whistleblowers — told ICE agents they don’t need judicial warrants to arrest people or enter people’s homes.
All they need — according to acting director Todd Lyons, who issued the memos — is paperwork they could create and authorize without any need to seek the approval of anyone else. ICE calls them warrants but they’re just self-issued paperwork in which the officer says a person needs to be arrested and then signs it. That’s it. The review process begins and ends at the same desk. If the agent swears it to be true, he’s only swearing it to himself, which means every finger can be crossed and every “fact” can be fiction.
Courts aren’t having it. ICE’s internal memos may claim there’s no need for the Constitution to come between them and their mass deportation efforts, but that doesn’t mean the Constitution agrees to be sidelined. The courts are stepping in with increasing frequency to protect constitutional rights. A lot of activity in recent months has focused on the due process rights being denied to detainees.
More recent activity is focusing on the Fourth Amendment which, if violated, naturally lends itself to other rights violations. Via Kyle Cheney of Politico (who has been tracking these cases since Trump’s most recent election) comes another case where a federal judge refuses to play along with ICE’s unconstitutional game of charades.
The opening paragraph of this opinion [PDF] lays out the facts. And they are ugly.
ICE officers are casting dragnets over Oregon towns they believe to be home to agricultural workers, calling them “target rich.” Landing in those communities, officers surveil apartment complexes in the early morning hours, scan license plates for details about the vehicles’ owners, and wait for them to get into their vehicles. Officers then stop, arrest, detain and transport people out of the District of Oregon to the Northwest ICE Processing Center (“NWIPC”), 144 miles away in Tacoma, Washington, before ultimately deporting them. Sworn testimony and substantial evidence before this Court show that ICE officers ask few questions and allow little time before shattering windows, handcuffing people, and detaining them at an ICE facility in another state.
There’s no “worst of the worst” going on here. These are the actions of masked opportunists who know the only way to make the boss happy is to value quantity over quality. Untargeted dragnets cannot possibly rely on probable cause, even considering Justice Kavanaugh’s blessing of racial profiling. Given this — and the administration’s desire to see 3,000 arrests per day — immigration officers can’t even be bothered to issue administrative warrants, much less secure judicial warrants, before performing arrests.
The Oregon courts drives home the point in the next paragraph (emphasis in the original):
The law on this issue is clear and undisputed. An ICE officer may arrest someone if the officer obtains in advance a warrant for their arrest. If the officer does not have a warrant, they cannot arrest someone unless they have probable cause to believe that both (1) the individual is in the United States unlawfully and (2) they are “likely to escape before a warrant can be obtained.”
The government’s response to this could be generously called “implausible.” It’s more accurately “risible” and backed by absolutely nothing that can’t be immediately contradicted by literally everything everywhere, as the court points out.
Plaintiffs challenge ICE’s practice of abusing its arrest power by failing to meet those criteria before arresting, detaining, and deporting people. Defendants do not—and could not— argue that this practice is lawful. Rather, they argue that there is no such practice, and that the myriad cases presented to this Court are mere coincidence.
But there is “such practice.” It’s impossible to deny it, even though the government tried to. The court isn’t interested in the government’s deflections and straight-up lies. It’s here to compare the facts to the law. Here are the facts:
[T]he overwhelming evidence in this record confirms that ICE officers targeted Woodburn and other cities in Oregon because of the large number of agricultural workers living in those areas. Officer testimony regarding human smuggling serves only as an inappropriate pretextual reason for developing reasonable suspicion for a stop. That officer also testified that he believed the van was suspicious because it had tinted windows and did not have any commercial markings.
When asked what gave the officers “reasonable suspicion that there may have been a crime afoot or that the folks in the van may not have had legal status,” the officer noted that the registered owner of the van had an immigration history, and that “[p]eople are being — going into a van early in the morning.” The officers did not have the identities of anyone in the van and they were not pursuing any known targets.The officers did not have a warrant for M-J-M-A-’s arrest.
Here’s more:
The evidence also demonstrates ICE’s practice of fabricating warrants after arrests were made. Tr. 306 (if an officer “encountered a file that did not have a warrant for arrest, an I-200,” he would create one); Tr. 356 (officer affirming that “for any case” involving a warrantless arrest, he would “create a warrant for the arrest after” individuals were detained at ICE field offices). This practice of creating warrants after the fact is highly probative of ICE’s failure to make individualized determinations of one’s escape risk prior to arresting them. That is especially true where, as in M-J-M-A-’s case, the encounter narratives for arrestees were exactly “the same.” Tr. 401.
Heading towards the granting of requested restraining order, the court makes it explicitly clear that federal immigration officers are routinely violating constitutional rights:
The Court finds that ample evidence in this case demonstrates a high likelihood—if not a certainty—that Defendants are engaging in a pattern and practice of unlawful conduct in Oregon…
And if it’s unlawful in Oregon, it’s illegal everywhere in the United States. Nothing in this order relies on Oregon’s state Constitution. Everything here falls under the minimum standard set by the US Constitution and its amendments.
The order ends with a stark warning — one that makes it clear what’s happening now is not only extremely abnormal, but a threat to the Republic itself.
It is clear that there are countless more people who have been rounded up, and who either remain in detention or have “voluntarily” deported than those, like M-J-M-A-, who were fortunate enough to find counsel at the eleventh hour. Defendants benefit from this blitz approach to immigration enforcement that takes advantage of navigating outside of the boundaries of conducting lawful arrests. For the one detainee who has the audacity to challenge the legality of her detention and gains release, several more remain detained or succumb to the threat of lengthy detention, and then instead “voluntarily” deport. Defendants win the numbers game at the cost of debasing the rule of law.
Finally, this Court has previously described ICE officers’ field enforcement conduct as brutal and violent. The practices are intended to strike fear across large numbers of people throughout Oregon. The persistent intensity of regular ICE immigration enforcement operations may very well have the intended effect of normalizing this level of violence. If this normalization continues, then even greater harm will be inflicted.
This is all much larger than the individuals who have somehow managed to challenge this administration’s deportation activities. This is only where it begins. If the courts can’t get this shut down, this rot will be deliberately spread to cover anyone who isn’t sufficiently deferential to the authoritarians ensconced in the GOP.
West Virginia Attorney General JB McCuskey wants you to think he’s protecting children. His press release says so. His legal complaint opens with the genuinely horrific line that Apple has, in internal communications, described itself as the “greatest platform for distributing child porn.” He makes sure you know that Google made 1.47 million CSAM reports to the National Center for Missing and Exploited Children (NCMEC) in 2023 while Apple made just 267. He is, as politicians love to say, fighting for the kids.
What he is actually doing, if he succeeds, is building an extraordinarily effective legaldefensemechanism for child predators.
This feels difficult for some people—including, apparently, the Attorney Freaking General of West Virginia—to mentally wrap their heads around, but it’s important: the legal approach he’s taking will help child predators massively if he succeeds. The fact that West Virginia’s AG office—staffed with actual lawyers, supplemented by outside private counsel—apparently didn’t bother to read the existing Fourth Amendment jurisprudence before filing this case is, frankly, staggering.
The complaint is a “first-of-its-kind government lawsuit,” as McCuskey’s office proudly announced, targeting Apple’s “failure to detect and report CSAM on iCloud.” It alleges strict liability for design defect, negligence, public nuisance, and violations of the West Virginia Consumer Credit and Protection Act. It demands injunctive relief requiring Apple to “implement effective CSAM detection measures.” It specifically points to the PhotoDNA detection system used by Google and Meta, and to Apple’s own abandoned NeuralHash client-side scanning project, as evidence of feasible alternatives that Apple is choosing not to use.
Here is the part McCuskey’s complaint does not engage with: the moment a court orders Apple to conduct those scans, any CSAM those scans find becomes evidence obtained through a warrantless government search—and under well-established Fourth Amendment doctrine, that evidence gets excluded. Defense attorneys will move to suppress it. They will win. And without the CSAM itself as evidence, convictions become nearly impossible.
The constitutional mechanics here are well-established, and were laid out in excruciating detail a year and a half ago right here on Techdirt by Stanford’s Riana Pfefferkorn when a very similar private class action lawsuit against Apple was filed in Northern California federal court. Her analysis deserves to be quoted at length, because it goes to the heart of why McCuskey’s lawsuit is not just misguided but actively counterproductive:
While the Fourth Amendment applies only to the government and not to private actors, the government can’t use a private actor to carry out a search it couldn’t constitutionally do itself.If the government compels or pressures a private actor to search, or the private actor searches primarily to serve the government’s interests rather than its own, then the private actor counts as a government agent for purposes of the search, which must then abide by the Fourth Amendment, otherwise the remedy is exclusion.
If the government – legislative, executive, or judiciary – forces a cloud storage provider to scan users’ files for CSAM, that makes the provider a government agent, meaning the scans require a warrant, which a cloud services company has no power to get, making those scans unconstitutional searches. Any CSAM they find (plus any other downstream evidence stemming from the initial unlawful scan) will probably get excluded, but it’s hard to convict people for CSAM without using the CSAM as evidence, making acquittals likelier. Which defeats the purpose of compelling the scans in the first place.
Read that again. If West Virginia wins—if an actual court orders Apple to start scanning iCloud for CSAM—then every image flagged by those mandated scans becomes evidence obtained through a warrantless government search conducted without probable cause. The Fourth Amendment’s exclusionary rule means defense attorneys get to walk into court and demand that evidence be thrown out. And they’ll win that motion. It’s not even a particularly hard case to make.
This is not a novel concern that McCuskey can plausibly claim he didn’t know about. As Pfefferkorn noted:
As my latest publication (based on interviews with dozens of people) describes, all the stakeholders involved in combating online CSAM – tech companies, law enforcement, prosecutors, NCMEC, etc. – are excruciatingly aware of the “government agent” dilemma, and they all take great care to stay very far away from potentially crossing that constitutional line. Everyone scrupulously preserves the voluntary, independent nature of online platforms’ decisions about whether and how to search for CSAM.
There is a reason Congress, when it enacted the federal statute requiring providers to report CSAM when they find it, explicitly included a disclaimer that providers cannot be forced to search for it. The statute was deliberately written this way. Congress understood the constitutional trap.
This careful architecture matters. The people actually working to protect children from CSAM—prosecutors, investigators, NCMEC analysts, trust and safety professionals—have spent years building a legally sound framework where platforms voluntarily detect and report this material in ways that preserve prosecutorial viability. That framework depends entirely on the voluntariness of the detection. McCuskey’s lawsuit would bulldoze it.
Pfefferkorn put it bluntly about the earlier private lawsuit:
Anycompetentplaintiff’s counsel should have figured this out before filing a lawsuit asking a federal court to make Apple start scanning iCloud for CSAM, thereby making Apple a government agent, thereby turning the compelled iCloud scans into unconstitutional searches, thereby making it likelier for any iCloud user who gets caught to walk free, thereby shooting themselves in the foot, doing a disservice to their client, making the situation worse than the status quo, and causing a major setback in the fight for child safety online.
That was written about private plaintiff’s attorneys making this mistake. Here we have an Attorney General—representing the State of West Virginia, invoking the state’s “parens patriae” authority over children—making the exact same mistake, only this time with the full weight of the government behind it. When the government compels a search, the state agent doctrine doesn’t just possibly apply. It almost certainly does. By definition.
The complaint makes much of Apple’s short-lived NeuralHash project, announced in August 2021 and quietly shelved by December 2022. The press release from McCuskey’s office frames Apple’s abandonment of NeuralHash as evidence of bad faith—the company caved to “a vocal minority of purported privacy advocates,” in the complaint’s framing, choosing brand value over child safety.
What the complaint skips over is why the security community reacted so strongly to NeuralHash in the first place. We covered it at the time: the core objection from security researchers wasn’t that detecting CSAM is bad. It was that you cannot build client-side scanning infrastructure that only scans for CSAM. Once you build the pipe, you have built the pipe.
The same mechanism Apple would use to match photos against an NCMEC hash database could be used—by Apple, under government compulsion, or by adversarial actors who compromise the system—to scan for political speech, religious content, or anything else a government wants to find. The EFF called it “a backdoor to increased surveillance and censorship around the world.” WhatsApp called it “a surveillance system that could very easily be used to scan private content for anything they or a government decides it wants to control.”
Apple’s own director of user privacy and child safety, Erik Neuenschwander, wrote in a letter explaining how dangerous the company’s scanning plan was:
Scanning every user’s privately stored iCloud content would in our estimation pose serious unintended consequences for our users. Threats to user data are undeniably growing – globally the total number of data breaches more than tripled between 2013 and 2021, exposing 1.1 billion personal records in 2021 alone. As threats become increasingly sophisticated, we are committed to providing our users with the best data security in the world, and we constantly identify and mitigate emerging threats to users’ personal data, on device and in the cloud.Scanning every user’s privately stored iCloud data would create new threat vectors for data thieves to find and exploit.
It would also inject the potential for a slippery slope of unintended consequences. Scanning for one type of content, for instance, opens the door for bulk surveillance and could create a desire to search other encrypted messaging systems across content types (such as images, videos, text, or audio) and content categories. How can users be assured that a tool for one type of surveillance has not been reconfigured to surveil for other content such as political activity or religious persecution? Tools of mass surveillance have widespread negative implications for freedom of speech and, by extension, democracy as a whole. Also, designing this technology for one government could require applications for other countries across new data types.
Scanning systems are also not foolproof and there is documented evidence from other platforms thatinnocent parties have been swept into dystopian dragnets that have made them victims when they have done nothing more than share perfectly normal and appropriate pictures of their babies.
McCuskey’s complaint calls these representations “false and/or misleading” because they contradict Apple’s earlier reassurances that NeuralHash was narrowly tailored. But those security concerns are real regardless of how Apple marketed the tool—and the fact that Apple made optimistic promises about NeuralHash in 2021 doesn’t mean the subsequent concerns that emerged were wrong.
The complaint’s treatment of encryption more broadly is where the legal theory becomes genuinely dangerous, not just to this case, but to security infrastructure generally. Count I—strict liability for design defect—alleges that by choosing to implement end-to-end encryption and not build surveillance capabilities into iCloud, Apple has defectively designed its product.
Think through what that means if it succeeds. Any company offering customers strong encryption becomes potentially liable for design defects unless it simultaneously builds government-accessible backdoors. Signal is a defective product. ProtonMail is a defective product. Any messaging app that doesn’t scan your conversations for the government is a defective product.
That’s not a narrow CSAM-specific argument. That’s a declaration that encryption itself is a tortious product choice—an existential threat to the security tools that protect journalists, activists, abuse survivors, and yes, children themselves. Security experts have been fighting this exact framing for decades, and here it is appearing in a West Virginia circuit court complaint dressed up as consumer protection law.
The consumer protection angle is also worth noting. The complaint argues that Apple’s privacy policy constitutes a material misrepresentation that misled West Virginia consumers. But look at what Apple’s policy actually says. It doesn’t promise comprehensive CSAM scanning. It lists circumstances under which Apple “may” access personal data, including the ability to “prescreen or scan uploaded content for potentially illegal content, including child sexual exploitation material.”
That’s disclosure of a capability, not a promise of comprehensive deployment—a CYA for what Apple might do, not a commitment to what it will do. McCuskey’s complaint pretends Apple promised universal scanning. No one reading the actual policy in good faith could reach that conclusion.
But even setting aside the misrepresentation of Apple’s policy language, the AG’s remedy gives the game away. He doesn’t just want Apple to clarify its privacy disclosures. He wants Apple to actually implement the scanning he claims the policy promised. Which brings us right back to the Fourth Amendment trap. The remedy is what makes this lawsuit dangerous.
There is something else worth noting about how this lawsuit was filed. The signature block on the complaint lists not only the West Virginia AG’s office but also outside private counsel—Troy N. Giatras and Matthew Stonestreet of The Giatras Law Firm—appointed as “Special Assistant Attorneys General.”
This arrangement is common in mass tort litigation: private lawyers sometimes pitch state AGs on filing suits that might generate large settlements, then take a cut when they do. Nothing about that is necessarily improper. But it does invite the question of whether the legal theory here was pressure-tested for constitutional viability or pressure-tested for settlement potential.
Here’s the cynical read: maybe no one involved actually expects this to go to judgment. Big Tech company + horrific subject matter + “first-of-its-kind” headline = a strong opening bid in a negotiation. If the goal is litigation pressure to extract voluntary changes from Apple—or just a settlement check—the Fourth Amendment analysis is irrelevant to the AG’s actual strategy. Apple pays something, McCuskey declares victory, gets his headlines, and everyone moves on.
But that calculation requires Apple to fold. And if Apple doesn’t—if this actually proceeds to the remedy stage—the constitutional trap springs shut on every subsequent prosecution. Apple should also recognize that folding here just invites 49 other AGs to file copycat suits demanding the same thing.
Did no one in West Virginia consider that the reason this lawsuit was a “first of its kind” is because everyone who actually knows what they’re doing knows this lawsuit would do real damage? As Pfefferkorn noted in her original piece for us in the summer of 2024 regarding the private class action lawsuit:
The reason nobody’s filed a lawsuit like this against Apple to date, despite years of complaints from left, right, and center about Apple’s ostensibly lackadaisical approach to CSAM detection in iCloud, isn’t because nobody’s thought of it before. It’s because they thought of itand they did their fucking legal research first. And then they backed away slowly from the computer, grateful to have narrowly avoided turning themselves into useful idiots for pedophiles. But now these lawyers have apparently decided to volunteer as tribute. If their gambit backfires, they’ll be the ones responsible for the consequences.
If the goal is actually to protect children, the path forward involves working with platforms on voluntary detection improvements, adequately funding NCMEC, prosecuting offenders whose crimes come to light through existing reporting mechanisms, and addressing the genuinely hard policy questions around encryption without destroying Fourth Amendment protections that also protect, among other people, children.
What the goal does not involve—cannot involve, under current constitutional law—is a state AG filing a headline-grabbing lawsuit to force mass warrantless surveillance of private cloud storage. That’s not child protection. That’s political theater with catastrophic potential consequences for the actual prosecution of the people the AG claims to be after.
McCuskey got his press conference and his headline. What he has not done is help any child in West Virginia. The only people who stand to benefit from his success are the predators whose prosecutions will collapse when the evidence gets thrown out.
We are calling on technology companies like Meta and Google to stand up for their users by resisting the Department of Homeland Security’s (DHS) lawless administrative subpoenas for user data.
In the past year, DHS has consistently targeted people engaged in First Amendment activity. Among other things, the agency has issued subpoenas to technology companies to unmask or locate people who have documented ICE’s activities in their community, criticized the government, or attended protests.
These subpoenas are unlawful, and the government knows it. When a handful of users challenged a few of them in court with the help of ACLU affiliates in Northern California and Pennsylvania, DHS withdrew them rather than waiting for a decision.
But it is difficult for the average user to fight back on their own. Quashing a subpoena is a fast-moving process that requires lawyers and resources. Not everyone can afford a lawyer on a moment’s notice, and non-profits and pro-bono attorneys have already been stretched to near capacity during the Trump administration.
That is why we, joined by the ACLU of Northern California, have asked several large tech platforms to do more to protect their users, including:
Insist on court intervention and an order before complying with a DHS subpoena, because the agency has already proved that its legal process is often unlawful and unconstitutional;
Give users as much notice as possible when they are the target of a subpoena, so the user can seek help. While many companies have already made this promise, there are high-profileexamples of it not happening—ultimately stripping users of their day in court;
Resist gag orders that would prevent companies from notifying their users that they are a target of a subpoena.
We sent the letter to Amazon, Apple, Discord, Google, Meta, Microsoft, Reddit, SNAP, TikTok, and X.
Recipients are not legally compelled to comply with administrative subpoenas absent a court order
An administrative subpoena is an investigative tool available to federal agencies like DHS. Many times, these are sent to technology companies to obtain user data. A subpoena cannot be used to obtain the content of communications, but they have been used to try and obtain some basic subscriber information like name, address, IP address, length of service, and session times.
Unlike a search warrant, an administrative subpoena is not approved by a judge. If a technology company refuses to comply, an agency’s only recourse is to drop it or go to court and try to convince a judge that the request is lawful. That is what we are asking companies to do—simply require court intervention and not obey in advance.
It is unclear how many administrative subpoenas DHS has issued in the past year. Subpoenas can come from many places—including civil courts, grand juries, criminal trials, and administrative agencies like DHS. Altogether, Google received 28,622 and Meta received 14,520 subpoenas in the first half of 2025, according to their transparency reports. The numbers are not broken out by type.
DHS is abusing its authority to issue subpoenas
In the past year, DHS has used these subpoenas to target protected speech. The following are just a few of the known examples.
On April 1, 2025, DHS sent a subpoena to Google in an attempt to locate a Cornell PhD student in the United States on a student visa. The student was likely targeted because of his brief attendance at a protest the year before. Google complied with the subpoena without giving the student an opportunity to challenge it. While Google promises to give users prior notice, it sometimes breaks that promise to avoid delay. This must stop.
In September 2025, DHS sent a subpoena and summons to Meta to try to unmask anonymous users behind Instagram accounts that tracked ICE activity in communities in California and Pennsylvania. The users—with the help of the ACLU and its state affiliates— challenged the subpoenas in court, and DHS withdrew the subpoenas before a court could make a ruling. In the Pennsylvania case, DHS tried to use legal authority that its own inspector general had already criticized in a lengthy report.
In October 2025, DHS sent Google a subpoena demanding information about a retiree who criticized the agency’s policies. The retiree had sent an email asking the agency to use common sense and decency in a high-profile asylum case. In a shocking turn, federal agents later appeared on that person’s doorstep. The ACLU is currently challenging the subpoena.
From that one line, which Anil Kalhan dubbed “Kavanaugh Stops,” we see story after story of just how disconnected from reality, and the Constitution, Brett Kavanaugh was in that statement.
My name is George Retes. I am — I was born and raised here in Ventura, California, I’m 26 years old and I am an Iraq combat veteran…. I was going to work like normal. I show up. ICE is there. There’s kind of like a roadblock. I get out. I identify myself, that I’m a U.S. citizen, that I’m just trying to get to work…. I’m getting ready to leave and they surround my car, start banging on it, start shouting these contradictory orders…. Even though I was giving them no reason, they still felt the need to — one agent knelt my back and another agent knelt on my neck. And during that time, I’m just pleading with them that I couldn’t breathe…. I was an isolation. I was in basically this concrete cell. I was stripped naked in like a hospital gown. And they leave the lights on 24/7…. They just came out and they said that I was violent and that I assaulted agents. Why lie when it’s on video of everything that happened? Why lie?
That’s just one person’s story in that PBS piece. There are two others as well. And we already know hundreds of other US Citizens have been kicked, dragged, beaten, and detained for days. It feels like every few days we hear about more such stories. And those are only the ones that get attention. You have to assume that there are many more ones that haven’t yet reached the public.
It feels like perhaps Justice Kavanaugh owes us all an explanation. And an apology. And a new ruling that makes it much clearer that immigration enforcement officials have no right to just randomly stop and detain people without a reasonable suspicion, based on specific articulable facts, and those facts need to be more than “skin color” or “they were being annoying to us.”
As Immigration and Customs Enforcement, or ICE, agents continued to use aggressive and sometimes violent methods to make arrests in its mass deportation campaign, including breaking down doors in Minneapolis homes, a bombshell report from the Associated Press on Jan. 21, 2026, said that an internal ICE memo – acquired via a whistleblower – asserted that immigration officers could enter a home without a judge’s warrant. That policy, the report said, constituted “a sharp reversal of longstanding guidance meant to respect constitutional limits on government searches.”
Those limits have long been found in the Fourth Amendment to the U.S. Constitution. The Conversation’s Politics editor Naomi Schalit interviewed Dickinson College President John E. Jones III, a former federal judge appointed by President George W. Bush and confirmed unanimously by the U.S. Senate in 2002, for a primer on the Fourth Amendment, and what the changes in the ICE memo mean.
Okay, I’m going to read the Fourth Amendment – and then you’re going to explain it to us, please! Here goes:
“The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized.” Can you help us understand what that means?
Since the beginning of the republic, it has been uncontested that in order to invade someone’s home, you need to have a warrant that was considered, and signed off on, by a judicial officer. This mandate is right within the Fourth Amendment; it is a core protection.
In addition to that, through jurisprudence that has evolved since the adoption of the Fourth Amendment, it is settled law that it applies to everyone. That would include noncitizens as well.
What I see in this directive that ICE put out, apparently quite some time ago and somewhat secretly, is something that, to my mind, turns the Fourth Amendment on its head.
What does the Fourth Amendment aim to protect someone from?
In the context of the ICE search, it means that a person’s home, as they say, really is their castle. Historically, it was meant to remedy something that was true in England, where the colonists came from, which was that the king or those empowered by the king could invade people’s homes at will. The Fourth Amendment was meant to establish a sort of zone of privacy for people, so that their papers, their property, their persons would be safe from intrusion without cause.
So it’s essentially a protection against abuse of the government’s power.
That’s precisely what it is.
Has the accepted interpretation of the Fourth Amendment changed over the centuries?
It hasn’t. But Fourth Amendment law has evolved because the framers, for example, didn’t envision that there would be cellphones. They couldn’t understand or anticipate that there would be things like cellphones and electronic surveillance. All those modalities have come into the sphere of Fourth Amendment protection. The law has evolved in a way that actually has made Fourth Amendment protections greater and more wide-ranging, simply because of technology and other developments such as the use of automobiles and other means of transportation. So there are greater protected zones of privacy than just a person’s home.
ICE says it only needs an administrative warrant, not a judicial warrant, to enter a home and arrest someone. Can you briefly describe the difference and what it means in this situation?
It’s absolutely central to the question here. In this context, an administrative warrant is nothing more than the folks at ICE headquarters writing something up and directing their agents to go arrest somebody. That’s all. It’s a piece of paper that says ‘We want you arrested because we said so.’ At bottom that’s what an administrative warrant is, and of course it hasn’t been approved by a judge.
This authorized use of administrative warrants to circumvent the Fourth Amendment flies in the face of their limited use prior to the ICE directive.
A judicially approved warrant, on the other hand, has by definition been reviewed by a judge. In this case, it would be either a U.S. magistrate judge or U.S. district judge. That means that it would have to be supported by probable cause to enter someone’s residence to arrest them.
So the key distinction is that there’s a neutral arbiter. In this case, a federal judge who evaluates whether or not there’s sufficient cause to – as is stated clearly in the Fourth Amendment – be empowered to enter someone’s home. An administrative warrant has no such protection. It is not much more than a piece of paper generated in a self-serving way by ICE, free of review to substantiate what is stated in it.
Have there been other kinds of situations, historically, where the government has successfully proposed working around the Fourth Amendment?
There are a few, such as consent searches and exigent circumstances where someone is in danger or evidence is about to be destroyed. But generally it’s really the opposite and cases point to greater protections. For example, in the 1960s the Supreme Court had to confront warrantless wiretapping; it was very difficult for judges in that age who were not tech-savvy to apply the Fourth Amendment to this technology, and they struggled to find a remedy when there was no actual intrusion into a structure. In the end, the court found that intrusion was not necessary and that people’s expectation of privacy included their phone conversations. This of course has been extended to various other means of technology including GPS tracking and cellphone use generally.
What’s the direction this could go in at this point?
What I fear here – and I think ICE probably knows this – is that more often than not, a person who may not have legal standing to be in the country, notwithstanding the fact that there was a Fourth Amendment violation by ICE, may ultimately be out of luck. You could say that the arrest was illegal, and you go back to square one, but at the same time you’ve apprehended the person. So I’m struggling to figure out how you remedy this.
The administration’s racist goon squads have absolutely been steamrolling the Constitution since Trump’s return to office. When ICE et al started roving throughout the nation looking for anyone non-white enough to be foreign, all rights were considered expendable.
The DHS made swift work of the Fifth, Sixth, and 14th Amendments by denying arrestees due process and access to legal representation. Officers grabbed people, sent them far from their home states, and shoved them into planes headed to foreign hellhole prisons as quickly as possible in hopes of nullifying the inevitable legal challenges.
The 14th Amendment got kicked while it was still down when the administration decided birthright citizenship was no longer a thing. And the entire administration simply pretends the First Amendment doesn’t apply to anyone who says things or does stuff it doesn’t like.
The Fourth Amendment got turned into a doormat last May when the DHS Office of Legal Counsel (usurping the role usually held by the DOJ Office of Legal Counsel) told federal officers they no longer needed judicial warrants to enter homes so long as they could semi-credibly claim the person they were seeking was subject to immigration court order of removal.
Amid tensions over President Trump’s immigration crackdown in Minnesota and beyond, federal agents were told this week that they have broader power to arrest people without a warrant, according to an internal Immigration and Customs Enforcement memo reviewed by The New York Times.
The change expands the ability of lower-level ICE agents to carry out sweeps rounding up people they encounter and suspect are undocumented immigrants, rather than targeted enforcement operations in which they set out, warrant in hand, to arrest a specific person.
“Amid tensions,” Polish journalists wrote in late 1939. That bit of coyness aside, there’s additional coyness in the memo issued by ICE’s acting director Todd Lyons. There’s very little in the way of legal citations. But there’s definitely a permission slip ICE agents can write for themselves when they head out to terrorize US residents.
Lyons thinks he can redefine legal terms on the fly to allow immigration officers to arrest people without warrants. The memo says “flight risk” (which allows for a warrantless arrest) is not the correct term since it can only be applied after an arrest:
Without explanation, and without any formal policy, ICE previously applied the phrase “likely to escape” as being the equivalent of “flight risk. ” This unreasoned position was incorrect. In fact, there are significant differences between the two standards in the immigration regulatory context and immigration officers should avoid conflating them. A flight risk analysis looks at whether an alien is likely to attend future immigration court hearings, appear before ERO as directed, surrender for removal, and comply with other immigration obligations. Flight risk determinations are made after an alien’s arrest, where the alien has already been identified, fingerprinted, interviewed, and may have had DNA collected.
That’s simply no good for this administration — especially when immigration forces are expected to come up with 3,000 arrests perday. Lyons says (again, without supporting legal citations) that “likely to escape” should be the standard for warrantless arrests, which is a determination agents should be able to make on their own without having to seek an arrest warrant. After all, if they go get a warrant, there’s a good chance the person they want to arrest might be a bit more difficult to find.
While the flight-risk analysis assesses whether an already identified and detained alien is likely to comply with future immigration obligations such as court appearances and appearances before ERO , the likelihood-of-escape analysis is narrowly focused on determining whether the person is likely to escape before the officer can practically obtain an administrative arrest warrant, while in the field. This on-the-spot determination as to the likelihood of escape is often made with limited information about the subject’s identity, background, or place of residence and no corroboration of any self-serving statements made by the subject.
The goalposts are moved. If an officer thinks a person they just happened to come across while performing an arrest with an actual warrant might not stick around to be arrested later, the officer can just arrest them as well, citing the lowered standard of “likely to escape.”
And what makes one “likely to escape” under this arbitrary, completely made the fuck up “legal” standard? Well, it’s a fine blend of “anything” and “everything.”
The subject’s behavior before or during the “encounter,” which covers anything from “suspicious behavior” to simply refusing officers’ commands to let them in a house (without a warrant) or yank them from a car (without a warrant). For that matter, being in a car is all that’s needed to be considered “likely to escape.” (“The subject’s ability and means to promptly depart the scene.”)
Or maybe the “subject” looks like they just may be healthy enough to leave on foot:
The subject’s age and health…
Also on the list: documents an officer “suspects” might be fraudulent (with no demand made that officers attempt to verify documents before engaging in a warrantless arrest). The list also says officers can make warrantless arrests if they suspect the person has violated any immigration law, even though they are not required to do anything at all to seek information that might corroborate their suspicions.
The end result is exactly what this administration wants it to be: a blank check for warrantless arrests that can then be justified after the fact by the officers who performed the arrest. And if they happen to be wrong, they’ll just cut the person loose, secure in the knowledge they’ll never be punished by their superiors, much less held accountable in court now that the Supreme Court has made it impossible to sue federal officers for rights violations.
Given this further erasure of civil rights, one can only assume the coming weeks will bring us DHS/ICE memos declaring the use of private homes as federal operation centers to be well within the confines of the Third Amendment. Perhaps we’ll even see some women jailed for attempting to vote during the upcoming midterms. ALL RIGHTS MUST GO!, says the administration proudly hosting this dumpster fire of a civil liberties fire sale. And once again, the party claiming to make America great continues to eliminate all the stuff that makes America America.
