CNN reports that the NSA has been buying internet data as a way to track Americans without a warrant:

[Oregon Democratic Senator Ron] Wyden, one of Congress’ most vocal privacy advocates, said he spent nearly three years pushing to be able to disclose the NSA practice and only succeeded when he placed a hold on the nomination of Nakasone’s successor for NSA director, Lt. Gen. Timothy Haugh. In a similar disclosure in 2021, Wyden revealed that the Defense Intelligence Agency had purchased commercially available smartphone location data without a warrant.

A few different tools are available to highlight software that tracks you across the websites you visit. The Markup’s Blacklight tests any individual website; the EFF’s Privacy Badger claims to protect your browser as you visit websites; Firefox has built-in privacy as standard. For the average user, however, the advantages might not be so obvious: so what if some firm I’ve never heard of sets a cookie in my browser? What does it matter that Google can see me? After all, they already have my search history.

While we can make tracking software visible, it’s harder to understand who the customers of this tracking data actually are. And that matters a lot, because that’s how your data is actually getting used. The companies that run the trackers are middlemen trying to make a profit; they’re interested in tracking you as well as possible. The real question is why you’re being tracked. Who has a use case for your information?

Some of those use cases are relatively benign: box stores trying to understand what they should advertise to you, for example. But those customers also include law enforcement and the security services, who have found that they can discover information that would ordinarily necessitate obtaining a warrant simply by paying a data broker for it.

H.R. 4639, the Fourth Amendment Is Not For Sale Act, which would ban this practice, was introduced in Congress last year. That’s a start, but it wasn’t voted on, let alone passed. There’s a long legislative road ahead before we see rules barring warrantless surveillance through data brokers.

Even if you feel like you’ve got nothing to hide, consider that this puts you in a privileged group. I like Edward Snowden’s comment on the right to privacy:

Arguing that you don't care about the right to privacy because you have nothing to hide is no different than saying you don't care about free speech because you have nothing to say. A free press benefits more than just those who read the paper.

For example, consider a pregnant person who is trying to find information about finding an abortion. Those searches — or carrying a cellphone with location services enabled that contains apps which report location in the background while visiting a reproductive health clinic — create a trail of internet traffic that could potentially be obtained by law enforcement in a state that disallows abortions. That information exists, despite claims by Google and others that it would be deleted to avoid this situation:

A year and a half has passed since Google first pledged to delete all location data on users’ visits to abortion clinics with minimal progress. The move would have made it harder for law enforcement to use that information to investigate or prosecute people seeking abortions in states where the procedure has been banned or otherwise limited. Now, a new study shows Google still retains location history data in 50% of cases.

A few years ago, it emerged that a branch of the military was buying data from Muslim prayer apps. Back then, developers admitted that they had no idea who was buying the data:

Some app developers Motherboard spoke to were not aware who their users' location data ends up with, and even if a user examines an app's privacy policy, they may not ultimately realize how many different industries, companies, or government agencies are buying some of their most sensitive data.

While blocking trackers is absolutely a way to protect user privacy, I believe these events point to a need for privacy policies to identify the people and organizations who actively purchase data (both directly and at the data broker level). That means data brokers need to be far more transparent with the websites and software developers they partner with, so that they, in turn, can be more transparent with their users.

It’s clearly not something that would happen without legislation: given the optics and public sentiment around surveillance, who would want to be seen to be purchasing peoples’ private information? But adding sunlight to a mix of privacy protections that also include purchasing restrictions on government and technical restrictions on trackers can only be helpful.

While we certainly should care about how our activity is tracked, we all really care about who has access to our private information. We should have the right to find out.