Government Continues To Rely On Private Contractors To Bypass Privacy Protections
There's only so much domestic surveillance the government can engage in before it starts running into problems. The Supreme Court's Carpenter decision strongly suggested gathering data in bulk to track people might run afoul of the Fourth Amendment. Lower courts have delivered a variety of opinions on the subject. Meanwhile, a few privacy-oriented legislators are trying to codify privacy protections that would limit the government's ability to abuse the Third Party Doctrine to obtain massive amounts of data.
Location data was directly implicated in the Carpenter decision. Since then, federal agencies have decided to bypass warrant requirements by purchasing location data directly from data brokers, rather than engage with the constitutional parameters established by the Supreme Court. Everyone has a hunger for data. And plenty of companies are willing to sell whatever they can acquire to agencies like ICE, CBP, FBI, DEA, Secret Service, and the Defense Department.
And that's only the tip of the iceberg. These same brokers sell data to local law enforcement agencies and state prisons. They also sell to a bunch of other private companies, allowing this data to be abused by debt collectors, stalkers, and people pretending to be cops. They're also allowing law enforcement in states that have outlawed abortion to track people seeking these newly banned services.
Selling other people's data is big business. As isolated pockets of legislators push for more oversight and better privacy protections for Americans, data brokers are pushing back. Lobbyists for data brokers have made D.C. their second home, bending the ears (and loading up the wallets) of any legislators willing to set aside their privacy concerns in favor of ensuring the business of brokering data remains a going concern.
Who's paying for all of this lobbyist action? Well, as Alfred Ng reports for Politico, it's the same people who would probably like their privacy to be a bit more protected from the harvesting machinery of data brokers. And the on-ramp for this vicious cycle that makes the public's money work against the public's best interests is the federal government's private partners in identity verification.
The idea was simple and appealing: Give citizens a single, easy-to-use webpage to access all kinds of federal services, from passport renewal to small-business loans.
The site, Login.gov, launched in 2017 and got backing from the Biden administration in an executive order last December. As of this week, it's connected to more than 20 government agencies, including the Small Business Administration, the Office of Personnel Management, the Social Security Administration and NASA.
But when citizens enter their personal information to register for the site, it's not the federal government that validates it - it's a group of private-sector data brokers, companies that are increasingly under scrutiny for collecting, storing and selling massive amounts of information on Americans without their knowledge.
LexisNexis is the primary beneficiary of this partnership, in more ways than one. First, there's the $34 million contract with Login.gov. Then there's the untold millions it can make by selling off this data to other private companies, local government agencies, and anyone else it feels is deserving of access to the verification data it collects on behalf of the US government. And it continues to exploit this collection it obtains by government mandate and government contract even while paying out settlements over its misuse of the data it collects.
According to LexisNexis, it does not store, retain, or reuse" the personal information it collects via Login.gov. But that's only a small part of the company's dealings with the federal government. Other contracts are far more lucrative. And they don't come with the same assurances LexisNexis has offered here.
The Login.gov account is a relatively modest example by federal standards. In 2021, the Department of Labor awarded LexisNexis a $1.2 billion deal to prevent fraud in state unemployment insurance programs. (The contract was later reduced to $528 million.) The Labor Department also has a $2 billion effort for fraud detection, which involves LexisNexis and the credit monitoring agency TransUnion. (TransUnion, which is also registered as a data broker, has its own contract with Login.gov for fraud prevention.) Other companies that are registered data brokers, such as Accenture and Acxiom, also have contracts with the federal government. Accenture has a $73 million contract with the IRS for fraud prevention, while Acxiom did identity verification for the Department of Veteran Affairs.
Here's the weird part: the government doesn't have direct access to the verification info required by Login.gov, despite being the origin of this information. That allows data brokers to make money by selling the federal government the information it can't acquire legally on its own.
There's a deeper irony in the government's reliance on private firms: Much of the information they use is issued by the government itself. Login.gov's verification process primarily relies on two pieces of information: your social security number and your state-issued ID. But Login.gov itself doesn't have access to that data because of a nearly 50-year-old law designed to protect Americans' privacy, which applies to government agencies, but not to data brokers.
The stated goal for this convoluted, law-skirting mess is fraud prevention. But mission creep set in long ago. Verification info is collected from other sources since the government isn't allowed to retain this data. LexisNexis and its competitors may not store input data from Login.gov users, but this shows they don't need to. They already have it. And what they already have, they can do what they want with. The limits placed on the government don't apply to private contractors. In essence, government work is a side hustle. Plenty of private parties desire this information and there's little in the law preventing data brokers from selling this to other parties like debt collectors, insurance companies, rental agencies, marketing firms, and private security firms.
The Privacy Act passed in 1974 may have prevented the federal government from compiling massive databases of personal information, but it did nothing to prevent private companies from doing the same thing. The reliance on private contractors allows the government to do what it's not allowed to. And it forces taxpayers to cover the tab rung up by the government as private companies sell taxpayers' data back to the government.
Ron Wyden's bill aims to provide better protections from the worst impulses of data brokers. If nothing else, it will prevent Americans from being double-billed when seeking access to government services.
It makes no sense for the government to pay a data broker millions of dollars a year for information that came from government records to begin with," Wyden said in a statement.
The road to better privacy protections is unpaved and uphill. The private sector can do what the government can't. Unfortunately, the government has decided it's ok (if not actually essential) to use the private sector as a legal workaround. All the while, data brokers continue to cash our checks and sell our data to other parties, over and over and over again.