TL;DR
The Fourth Amendment says the government needs a warrant to spy on you. There is a loophole the size of a surveillance state through it. If a private company already has your data and is willing to sell it, the government just writes a check. No judge. No probable cause. No paperwork.
There is no federal law stopping this. None. Congress had one shot to close it in April 2024. The vote failed 212 to 212. A tie is a loss.
The FBI bought your location data. The NSA bought your browsing history. ICE spent $2.8 billion on commercial surveillance tools. All confirmed. All warrantless. All legal.
AI now takes those purchased fragments — your coffee stops, your late-night searches, your medical appointments — and fuses them into a portrait of everything you are. Your religion. Your health. Your politics. Your real name behind every anonymous account you thought nobody could trace.
The government has a seventy-year documented record of illegal surveillance against its own citizens. Not alleged. Proven. Congressional record. Declassified files. Court rulings.
And it has never once stopped on its own.
Here is a thing confirmed by the director of the FBI, the leadership of the NSA, and the intelligence community's own internal audit:
Federal agencies have been buying Americans' personal data — location history, browsing records, financial profiles — from commercial data brokers. Without warrants. Without court orders. Without telling you.
Not in secret memos from the 1970s. In sworn congressional testimony. In writing. In the last two years.
And there is no law that says they cannot.
The loophole the Supreme Court left wide open
Think of it like this. The Constitution says the police can't kick in your front door without a warrant. That protection is real. But what if everything you own was already sitting on your front lawn with a for sale sign — and any passerby, including the government, could just pick it up?
That is the commercial data market. And you didn't put it there. Your apps did it for you.
In 2012, the Supreme Court ruled the FBI needs a warrant to attach a GPS tracker to your car. In 2018, in Carpenter v. United States, it ruled the government needs a warrant to pull seven days of cell tower records from your phone carrier. Chief Justice Roberts called that ruling "narrow" — and he meant it literally. The Court deliberately did not decide what happens when the government skips the carrier entirely.
What happens is this: it buys the same data, or better data, from a broker.
Your location doesn't live only with your carrier. It lives in every app that ever asked for location access. Weather apps. Navigation apps. Games. Prayer apps. They harvest your GPS coordinates continuously and sell them into a supply chain that ends at a company called a data broker. The broker packages it and sells it to whoever pays. The government pays.
The Electronic Communications Privacy Act — 1986. The Stored Communications Act. The Privacy Act of 1974. None of them prohibit this. They were written before the smartphone existed. There is no comprehensive federal privacy law in the United States that closes this gap. There has never been one.
The receipts
This is not a theory. The agencies confirmed it themselves.
On March 8, 2023, FBI Director Christopher Wray appeared before the Senate Select Committee on Intelligence. Under questioning by Senator Ron Wyden, Wray confirmed the FBI had purchased Americans' geolocation data from commercial data brokers — without warrants. He said the practice had been suspended. No independent audit has confirmed it stopped. ¹
On January 25, 2024, Senator Wyden released a declassified letter confirming the NSA had been purchasing Americans' internet browsing records from commercial data brokers — the actual websites you visited, packaged and sold. The New York Times broke the story the same day. The NSA had not disclosed this voluntarily. Wyden placed a hold on a senior NSA official's confirmation to force it into the open. ²
Customs and Border Protection purchased access to commercial smartphone location data — confirmed through Wall Street Journal reporting in February 2020 and subsequent ACLU FOIA litigation. ³
ICE is in a category of its own. Georgetown Law's Center on Privacy and Technology published a report in May 2022 called "American Dragnet." Their researchers analyzed over 100,000 government spending records and found ICE spent approximately $2.8 billion on surveillance technology between 2008 and 2021. Their data sources included Venntel, Babel Street, Thomson Reuters' CLEAR database, and LexisNexis. They had access to driver's license records covering roughly 74% of all U.S. adults. ⁴
The U.S. military purchased location data harvested from Muslim prayer apps — apps downloaded by tens of millions of people for daily religious practice. Vice/Motherboard broke this story on November 16, 2020. The data flowed through X-Mode Social and Babel Street. The Defense Intelligence Agency later confirmed to Wyden's office in writing that it had purchased and queried commercially available location data on Americans without warrants. ⁵
Local police didn't need a federal budget to get in on it. In September 2022, the AP and the Electronic Frontier Foundation revealed that a company called Fog Data Science had been selling smartphone location tracking to approximately 40 local police departments for as little as $7,500 a year. You don't need a federal surveillance apparatus anymore. You need a credit card. ⁶
What AI does that no army of analysts ever could
The old argument against mass surveillance was practical: it generates too much data, nobody can process it, so what's the real harm?
AI killed that argument.
A 2013 MIT study published in Scientific Reports found that four location data points — four timestamps, four places — are enough to uniquely re-identify 95% of people in a dataset of 1.5 million. ⁷ Four. Your coffee shop on Monday. Your doctor on Tuesday. Your kid's school on Thursday. Your church on Sunday. That is not anonymized data. That is you. "Anonymized" is a marketing claim. It was never a technical barrier.
When AI fuses location, browsing, financial, and social data, it reconstructs everything you never disclosed to anyone. Weekly stops at a mosque during prayer times reveal your religion. Regular visits to an oncology center reveal your diagnosis. Attendance at rallies combined with browsing patterns builds a political file. A Cambridge University study published in PNAS in 2013 showed that Facebook Likes alone could predict political party affiliation with 85% accuracy. ⁸ That was 2013. With one dataset. Before modern AI existed.
AI also unmasks anonymous accounts. In July 2021, a Catholic news outlet obtained commercially available Grindr location data. They used it to track the phone of a senior Catholic Church official to gay bars, identified him, and published the story. He resigned the same day. They didn't hack a single system. They bought a data subscription. ⁹
The intelligence community knows exactly what this means. The ODNI's own internal audit — the Senior Advisory Group Report on Commercially Available Information, completed in January 2022 and declassified in June 2023 — acknowledged that purchased commercial data "can reveal sensitive and intimate information about the personal attributes, private behavior, social connections, and speech of U.S. persons" and could be "used to identify every person who attended a protest or rally." ¹⁰
The government wrote that assessment about its own conduct. Then kept buying.
Seventy years of the same story
People hear "government surveillance overreach" and think it's a theoretical concern. It is not theoretical. It is a pattern with a documented seven-decade history.
From 1956 to 1971, the FBI ran COINTELPRO. It surveilled, infiltrated, and actively tried to destroy domestic political organizations — civil rights groups, antiwar movements, the Southern Christian Leadership Conference. It sent Martin Luther King Jr. an anonymous letter widely understood as encouraging him to take his own life. It was not uncovered by a government investigation or congressional oversight. Activists broke into an FBI field office in Media, Pennsylvania, stole the files, and mailed them to journalists.
For thirty years starting in 1945, the NSA received copies of virtually all international telegrams entering or leaving the United States — from Western Union, RCA, and ITT — with no legal authority whatsoever. The Church Committee investigated all of it in 1975 and 1976 and concluded that intelligence agencies had "systematically violated the constitutional rights of American citizens."
After September 11, President Bush secretly authorized the NSA to intercept Americans' international calls and emails without FISA court orders. The program ran for years before the New York Times exposed it in December 2005. The NSA's Section 215 bulk phone metadata collection — records of virtually every American's calls — ran until Edward Snowden revealed it in June 2013. A federal appeals court ruled it illegal in 2015. PRISM collected emails, chats, and social media content from nine major tech companies. Also Snowden.
The pattern is identical across every decade. Programs created in secret. Expanded beyond any legal authority. Continued until forced into the open by whistleblowers, stolen documents, or journalists. Never stopped voluntarily. Not once.
Congress had its shot
In April 2024, during reauthorization of FISA Section 702, an amendment requiring warrants for government data broker purchases came to a House floor vote.
It failed 212 to 212. ¹¹
A tie is a loss. FISA Section 702 was reauthorized on April 20, 2024, signed into law as Public Law 118–49, with zero restrictions on commercial data purchases. ¹²
Senator Ron Wyden — who had spent years placing holds on government nominations, demanding classified disclosures, and dragging these facts into the public record — retired from the Senate in January 2025. No one has picked up his work at the same level.
The FTC moved on one company. On January 9, 2024, it issued its first-ever order prohibiting a data broker from selling sensitive location data, forcing X-Mode Social — now rebranded Outlogic — to stop selling data tied to visits to medical facilities, religious institutions, and domestic violence shelters. ¹³ One company. One order. Thousands of brokers operating the same way, untouched.
On January 20, 2025, the new administration revoked Biden's executive order on AI, which had included directives for agencies to evaluate how AI magnifies commercial data collection risks. The replacement order focused on removing barriers to American AI development. There were no privacy provisions.
The commercial surveillance industry is not contracting. It is expanding.
The infrastructure doesn't come with an expiration date
The constitutional framework Americans rely on was built for a world where surveillance required the government to do something — tap a phone, open a letter, attach a tracker. Every act triggered a warrant requirement. The modern version requires nothing more than a purchase order.
Your apps sold your data. Brokers bought and repackaged it. The government wrote a check. AI turned the fragments into a file on you that no analyst in history could have assembled manually — built from the ordinary noise of your daily life, without your knowledge, without a warrant, and without breaking a single law.
Four data points. That is all the science says it takes to identify you out of a million people.
The question is not whether you have something to hide. People said that about COINTELPRO too. Robert Williams, wrongfully arrested in Detroit in January 2020 after facial recognition software misidentified him, had nothing to hide. He spent thirty hours in custody in front of his wife and daughters before the error surfaced. Jorge Molina spent nearly a week in an Arizona jail in 2018 for a murder he didn't commit because Google geofence data put his phone near the crime scene. His mother's ex-boyfriend had borrowed his car. The NYPD surveilled Muslim communities for over a decade, mapping mosques, infiltrating student groups, monitoring businesses — and produced zero terrorism leads. The AP won the Pulitzer Prize for exposing it.
You don't have to be guilty. You just have to be in the database when someone decides to look.
The infrastructure being assembled right now will outlast every promise being made about how it will be used.
Q&A — Objections answered
Q1: Doesn't the government still need a warrant for any of this?
For data it collects directly, yes. The GPS tracker ruling in 2012. The carrier location data ruling in 2018. Those protections are real. But the Court in Carpenter explicitly called the ruling narrow and deliberately left the data broker question open. So the government routes around the warrant requirement: instead of subpoenaing your phone company, it pays a middleman who already has your data. No judge. No probable cause. No paperwork. Legal under every existing statute because no statute covers it.
Q2: I have nothing to hide. Why does this affect me?
Robert Williams had nothing to hide. Thirty hours in custody, wrongfully arrested based on a facial recognition mismatch. Jorge Molina had nothing to hide. A week in jail for a murder he didn't commit because an algorithm put his phone at the wrong place. The NYPD ran a decade-long surveillance program on Muslim communities and never generated a single terrorism lead. The AP won the Pulitzer documenting it. You don't need to be guilty. You need to be in the database when someone with power decides to look. Attorney General Robert Jackson told Congress in 1940: "The prosecutor has picked the man and then searched the law books to pin a crime on him." The database is the new search.
Q3: Can't I just delete my apps or use a VPN?
No. The data supply chain doesn't require your ongoing participation. Your location history was sold by your weather app last year. Your browsing behavior was packaged by ad networks last month. Your financial patterns are already flowing through LexisNexis and Thomson Reuters right now. Deletion is retroactive and incomplete. The records exist in broker databases you have no access to and no legal right to demand deleted under current federal law. And the MIT study is unambiguous — four data points already in that database are enough to identify you out of 1.5 million people.
Q4: Hasn't Congress done something about this?
212 to 212. April 2024. That was the vote. It failed. FISA was reauthorized the same month with no restrictions. The FTC issued one enforcement order against one company. The senator who spent years forcing these disclosures retired in January 2025. The administration that took office the same month revoked the one executive order that directed agencies to evaluate these risks. The legislative and regulatory trajectory is running in the wrong direction.
Q5: This sounds like a problem for dissidents and activists, not regular people.
The ODNI's own internal report said purchased commercial data could be "used to identify every person who attended a protest or rally." A Catholic news outlet identified and exposed a Church official using Grindr data they bought commercially in 2021. A 2023 Duke University study found data brokers openly advertising lists of people with specific mental health conditions — depression, anxiety, PTSD — for cents per record. No inference required. The condition was the product category. Regular people are the market. Their data is what makes the market valuable.
Sources
1. Sen. Ron Wyden, Senate Select Committee on Intelligence, March 8, 2023. Wired, "The FBI Admits to Buying US Location Data," March 2023.
2. Charlie Savage, "N.S.A. Buys Americans' Internet Data Without Warrants," New York Times, Jan. 25, 2024. Sen. Wyden press release, wyden.senate.gov, Jan. 25, 2024.
3. Byron Tau & Michelle Hackman, Wall Street Journal, Feb. 7, 2020.
4. Georgetown Law Center on Privacy & Technology, "American Dragnet," May 2022. law.georgetown.edu.
5. Joseph Cox, "U.S. Military Bought Location Data Harvested From Muslim Prayer App," Vice/Motherboard, Nov. 16, 2020.
6. Garance Burke & Jason Dearen, "Fog Revealed," AP, Sept. 2, 2022. EFF, eff.org/deeplinks, Sept. 2022.
7. de Montjoye et al., "Unique in the Crowd," Scientific Reports 3:1376, March 25, 2013. DOI: 10.1038/srep01376.
8. Kosinski, Stillwell & Graepel, "Private traits and attributes are predictable from digital records of human behavior," PNAS 110(15):5802 — 5805, 2013. DOI: 10.1073/pnas.1218772110.
9. "Pillar Investigates: USCCB Gen. Sec. Burrill Resigns," The Pillar, July 20, 2021.
10. ODNI Senior Advisory Group Report on Commercially Available Information, declassified June 2023. dni.gov.
11. House Roll Call Vote, Davidson amendment to H.R. 7888, April 12, 2024. clerk.house.gov.
12. Reforming Intelligence and Securing America Act, Public Law 118–49, signed April 20, 2024. congress.gov.
13. FTC Order, X-Mode Social/Outlogic, Jan. 9, 2024. ftc.gov.