The Data Broker Loophole: How the Government Buys Your Location Without a Warrant

On April 17, 2024, the U.S. House of Representatives passed H.R. 4639, the Fourth Amendment Is Not For Sale Act, by a vote of 219–199. The bill would prohibit federal law enforcement and intelligence agencies from buying personal data — location, browsing records, communications metadata — from private brokers without first getting a court order.

The bill exists because, today, they don't have to. The Senate has not taken it up. The administration opposes it. And in the meantime, the FBI, IRS, DEA, DHS, ICE, the Department of Defense, and the Secret Service have all been documented purchasing exactly the kind of data they would otherwise need a warrant to obtain.

The short answer: the Electronic Communications Privacy Act of 1986 bars phone and internet companies from handing your sensitive records to the government without legal process. It says nothing about data brokers, because Congress in 1986 didn't anticipate that an entire industry would emerge to repackage and resell the same data. That gap is the "data broker loophole."

This piece is the civil-liberties one. No fear-mongering. Just the law, the agencies, and what the reform fight looks like.

TL;DR

• Federal agencies have purchased Americans' cell-phone location data, browsing histories, and personal records from commercial data brokers like Venntel and Babel Street — without warrants, court orders, or subpoenas.
• The legal mechanism is a gap in ECPA (1986), reinforced by the Supreme Court's "third-party doctrine," which says voluntarily shared information has reduced Fourth Amendment protection.
• The Brennan Center, EFF, EPIC, and Project On Government Oversight have documented purchases by DHS, FBI, IRS, DoD, and others.
• The Fourth Amendment Is Not For Sale Act passed the House 219–199 in April 2024 but stalled in the Senate.
• The fight isn't a left/right issue — the House bill had bipartisan sponsors and bipartisan opposition.

How the loophole actually works

To understand the loophole, you have to understand what the law was designed to block — and then look at what it left open.

The intended block. When the FBI wants your historical cell-phone location data directly from Verizon or AT&T, it must, since Carpenter v. United States (2018), get a warrant supported by probable cause. When it wants the content of your emails from Google or Microsoft, same rule. When it wants your browsing history from your ISP, ECPA and various amendments add legal process requirements depending on the data type. These protections exist because the carriers and platforms are defined in the statute as "electronic communication service providers" and "remote computing service providers" — terms with specific legal meaning.

The opening. A data broker is not an electronic communication service provider. A data broker is a company that buys data, usually from app developers, ad-tech middlemen, loyalty programs, and other commercial sources, then resells aggregated profiles to whoever wants them. ECPA doesn't constrain data brokers from selling, and it doesn't constrain the government from buying.

So the chain looks like this:

1. You install a weather app. The app collects your location 200 times a day.
2. The app's SDK shares that location with an ad-tech firm.
3. The ad-tech firm sells it to a data broker like Venntel or Babel Street.
4. The broker bundles it into a "patterns of life" product.
5. A federal agency buys the product — for an annual subscription, on a contract.

At no point in that chain did the government interact with a phone company, an ISP, or an email provider. The Fourth Amendment never gets triggered, because the Supreme Court's third-party doctrine treats data you "voluntarily" shared with a third party — the app — as outside the Amendment's protection. (That you almost certainly didn't read the app's terms of service is, for the doctrine, irrelevant.)

EPIC's research, summarized in their report Closing the Data Broker Loophole, lays out two specific statutory gaps in ECPA: app developers and third-party brokers aren't covered by the statute's definitions, and ECPA permits service providers to voluntarily disclose non-content information to brokers, who then sell it onward.

The documented purchases

This isn't speculative. Multiple federal agencies have confirmed buying broker data, and the Project On Government Oversight maintains a running list.

• DHS / ICE / CBP: Purchased smartphone location data from Venntel to track movements at the southern border. Internal DHS Inspector General reports later questioned whether the warrantless purchases complied with department policy.
• IRS Criminal Investigation: Bought a subscription to Venntel's location data. Senator Ron Wyden's office documented the contract. The IRS reportedly ended the use after the program drew scrutiny.
• FBI: Then-Director Christopher Wray confirmed under Senate questioning in March 2023 that the bureau had previously purchased U.S. location data from commercial sources.
• DEA: Has paid AT&T for access to a multi-decade phone-records database known as the Hemisphere Project.
• Defense Department / Special Operations Command: Has purchased location data including from the Muslim Pro prayer app.
• Secret Service: Has purchased Babel Street's Locate X product, which provides historical location data on devices.

The pattern is consistent: the data agencies bought was the same sensitive data — location traces, browsing patterns — that would have required a warrant from a carrier.

The third-party doctrine, briefly

The legal foundation that allows all of this is the third-party doctrine, a Supreme Court rule from the 1970s (United States v. Miller, 1976; Smith v. Maryland, 1979) that says information you knowingly share with a third party — a bank, a phone company — loses its Fourth Amendment protection.

The doctrine was developed when "sharing with a third party" was narrow: phone numbers dialed, bank deposits. Today it includes everything your phone does, your search history, your driving, your purchases, your location 24/7. The Supreme Court started chipping at the doctrine in Carpenter v. United States (2018), holding that historical cell-site location info from carriers requires a warrant. But Carpenter applies to data the government compels from a carrier — not to data brokers willingly sell.

The Brennan Center's legal analysis argues that Carpenter's reasoning logically extends to broker-purchased data, but the courts haven't gone there yet, and legislation is the more durable fix.

What the Fourth Amendment Is Not For Sale Act does

The bill itself is short. Its core provisions:

• Prohibits law enforcement and intelligence agencies from purchasing personal data from data brokers that they would otherwise need a warrant, court order, or subpoena to obtain.
• Closes the "voluntary disclosure" loophole in ECPA that lets carriers hand over certain records.
• Bans the government from buying data obtained via deception (e.g., apps that misrepresent what they collect).
• Extends warrant requirements to internet-based communications records held by intermediaries.

The bill passed the House 219–199 in April 2024 with a bipartisan coalition: progressive Democrats concerned about surveillance overreach joined libertarian-leaning Republicans concerned about constitutional protections. It was opposed by leadership in both parties and by the executive branch. It has not received a Senate vote.

A companion effort, the Government Surveillance Reform Act, reintroduced in March 2026, would also require warrants for FBI searches of Americans' communications and add transparency to the FISA court.

What the public-records side looks like

Worth distinguishing here: government data-broker purchases are not the same thing as government public records. Voter rolls, property deeds, court filings, and business registrations are public by statute — anyone can request them. Those records get scraped and resold by the data broker industry too, but a separate issue from the government buying commercial broker data on its own citizens.

The civil-liberties concern with the broker loophole is specifically about behavioral and locational data — the patterns of life that the Fourth Amendment was meant to shield from warrantless government interest.

What you can do today

This is a structural problem and most of the answer is legislative. But there are individual actions that matter:

1. Pull location permissions from apps that don't need them. Open Settings → Privacy → Location Services (iOS) or Settings → Location → App permissions (Android). Set every app to "While Using" or "Never." Weather apps, flashlight apps, photo editors, and games do not need background location.
2. Opt out of ad-ID tracking. iOS: Settings → Privacy & Security → Tracking, toggle off "Allow Apps to Request to Track." Android: Settings → Privacy → Ads, "Delete advertising ID."
3. File opt-outs with the data brokers that resell location data. Acxiom, LiveRamp, Oracle Data Cloud, and others accept consumer requests. State privacy laws (CCPA in California, similar in Virginia, Colorado, Connecticut, Utah, and others) give you statutory deletion rights.
4. Contact your senator about the Fourth Amendment Is Not For Sale Act. Whatever your politics, the principle — that government should need a warrant for data it would otherwise need a warrant for — is one a remarkable cross-section of legal scholars agree on. EFF and the ACLU both maintain action pages.
5. Read the source documents. The Brennan Center report and EPIC's closing-the-loophole brief are short, sober, and freely available. They're better than any blog summary.

---

The loophole isn't a conspiracy. It's a 39-year-old statute that didn't anticipate a 2026 data market. Closing it requires Congress to update the law, the courts to extend Carpenter, or both. In the meantime, the most concrete thing an individual can do is shrink the supply — fewer apps tracking, fewer brokers holding records, fewer rows for the government (and everyone else) to subscribe to. That's the same fight we lay out in our manifesto on why the link between data sources is the real risk: one record is recoverable, an aggregated profile is an identity.

If you want help with the second part, that's what we do. Leak Check Me's privacy agent scans broker sites, helps prepare eligible opt-out requests after authorization, and patrols for relistings. One scrub mission is $20. Start at leakcheckme.com.

Sources

• Congress.gov: H.R. 4639 — Fourth Amendment Is Not For Sale Act, full text
• Brennan Center for Justice: Closing the Data Broker Loophole
• EPIC: Closing the Data Broker Loophole — Government Evasion of the Fourth Amendment
• Project On Government Oversight: Fact Sheet — Closing the Data Broker Loophole
• ACLU: After House Passes Fourth Amendment Is Not For Sale Act, ACLU Urges Senate to Stop Government from Spying on Americans Without a Warrant
• CyberScoop: House passes bill to limit personal data purchases by law enforcement, intelligence agencies
• EPIC: ECPA Overview
• Senator Wyden: Introduction of the Government Surveillance Reform Act