When three Republicans held up the Section 702 reauthorization this week, their publicly stated condition was a warrant requirement for queries of Americans' communications. That fight is real, and it matters. But even a perfect warrant requirement — applied to every intelligence community query of the 702 database — would leave the largest warrantless surveillance pipeline in the federal government untouched.
That pipeline is the data broker loophole.
Federal agencies buy, from commercial data brokers, the same categories of information that the Supreme Court has ruled law enforcement must obtain a warrant to collect directly. Location histories from smartphone apps. Communications metadata from advertising technology firms. Visited-site histories from browser telemetry. The information sits on agency servers indefinitely. No judge signs off. No suspicion standard applies. The purchase is the process.
This is not a theoretical concern. It is a decade-old procurement pattern with a documented dollar figure.
What Carpenter Said, and What Agencies Did Next
In 2018, the Supreme Court decided Carpenter v. United States. The Court held that law enforcement collection of cell-site location information — the data records generated when your phone pings a cellular tower — required a warrant. Chief Justice Roberts, writing for the majority, was explicit about why: cell-site records provide "an intimate window into a person's life" that is fundamentally different in kind from the financial records and pen registers the Court had previously allowed without warrants.
Within months, federal agencies began scaling a parallel procurement pipeline that the ruling did not touch.
The logic was purely textual. Carpenter applied to collection by the government. It did not address the question of what happens when the government purchases the same categories of data from a private intermediary. Data brokers aggregate location pings from thousands of smartphone applications — weather apps, fitness trackers, coupon apps, children's games — that collect location data and sell it through advertising technology exchanges. That data is obtained, initially, through terms-of-service consent. It is then resold through a tangle of intermediaries before reaching the aggregator's database. By the time a federal agency buys it, the argument goes, it is no longer "collection" at all. It is a commercial transaction.
The Department of Homeland Security was an early mover. A 2020 Wall Street Journal investigation documented that Immigration and Customs Enforcement and Customs and Border Protection had purchased access to a commercial database covering approximately 250 million phones across the United States, supplied by a Virginia-based broker called Venntel. The database let agents query the movements of any device in the data set, without individualized judicial authorization, by drawing a geographic "bounding box" on a map and pulling every ping inside it.
DHS's Office of Inspector General eventually issued a 2023 report concluding that ICE and CBP had used commercial location data without adequate legal review, without published privacy impact assessments, and without formal policies governing the scope of queries. By the time the report was published, DHS had spent at least $6.2 million on the Venntel contract alone, according to procurement records the Electronic Frontier Foundation obtained through FOIA. Separate contracts with other brokers pushed the total significantly higher.
The IRS Bought Location Data in 2017
The pattern predates even the Carpenter ruling. The Internal Revenue Service's Criminal Investigation Division signed a $1.05 million contract with LocationSmart in 2017, according to contract records first reported by The New York Times and Vice News. The IRS paid LocationSmart — a broker that pulled cellphone location data from all four major U.S. carriers — for investigative queries.
After ACLU and Senate Finance Committee inquiries, the IRS told Congress in 2020 that it had stopped using the tool. But the fact that the contract existed at all — that a federal tax agency spent seven figures of appropriated money to query the real-time location of American cellphones without judicial authorization — established the operational template that DHS, DoD, and other agencies would follow at scale.
The Defense Side
The Department of Defense, the U.S. Special Operations Command, and the intelligence community have their own versions. A 2022 Motherboard investigation reported that U.S. Special Operations Command purchased access to Locate X, a product of the data analytics firm Babel Street, which aggregated location histories derived from the same advertising technology supply chain. A senior USSOCOM official told Motherboard that the data had been used to track individuals overseas.
What the same reporting documented, and what has drawn less attention, is that the product made no technical distinction between overseas queries and domestic ones. A user with Locate X access could search a location anywhere in the world, including inside the United States. The procurement contracts did not include geographic access controls. The policies that governed use were internal to each agency, varied across agencies, and were not audited by any external body.
A 2024 report by the Office of the Director of National Intelligence, declassified only after Senate pressure, confirmed that the intelligence community as a whole had been purchasing "commercially available information" — the government's preferred euphemism for data-broker data — in quantities and with analytic depth that the report itself acknowledged would raise Fourth Amendment questions if the same material had been collected by the agencies directly.
What the Data Includes
The public debate has focused on location. Location is the most legally clean data-broker product — the one most directly analogous to the cell-site records at issue in Carpenter. But the brokers sell much more than location.
The categories that current reporting has documented include browsing histories derived from embedded advertising trackers on commercial websites; application usage patterns pulled from software development kits bundled into consumer apps; purchase histories from loyalty and retail data exchanges; demographic and household composition data from credit bureaus and marketing firms; and — in some cases — the contents of communications metadata that transit advertising technology systems. The American Civil Liberties Union's 2022 report on data broker procurement catalogued agency contracts covering each of these categories across DHS, DoD, IRS, SEC, FBI, Treasury, and the Defense Counterintelligence and Security Agency.
The aggregated effect is a shadow surveillance architecture that, at the procurement level, operates on open appropriations and federal contracts. Congressional staff can inspect the line items. Most do not. The agencies involved do not publish privacy impact assessments that describe the full scope of queries. Internal use policies, where they exist, are classified or For Official Use Only.
The Legislative Gap
The proposed remedy has a name and a bill number. The Fourth Amendment Is Not for Sale Act, H.R. 4639, would prohibit federal agencies from purchasing from commercial data brokers information that would otherwise require a warrant, subpoena, or court order to obtain. The bill has cleared the House twice — once in 2024 on a 219-199 vote, and again as a floor amendment during the 2024 Section 702 reauthorization debate, where the amendment passed the House and was then stripped in conference with the Senate.
In the current reauthorization fight, the amendment never received a floor vote. Rep. Warren Davidson (R-OH) had pushed to include it, according to The Hill, but the closed rule offered by Republican leadership did not allow amendments. When the rule collapsed Wednesday evening, the data broker amendment died with it. The 13-day stopgap that cleared the House at 2:09 a.m. Thursday contained no warrant requirement and no data broker restriction.
That is the state of play as of Saturday morning. The permanent authority expires on April 30. Whatever Congress passes before that sunset will almost certainly leave the commercial data pipeline intact. The fight over the 702 database — real and consequential — is being waged over a subset of federal surveillance. The larger surface, the commercial one, is not yet in scope.
Why It Matters
For two decades, the legal debate about federal surveillance has focused on what the Constitution permits the government to collect. The Supreme Court has drawn lines — Katz, Jones, Carpenter — each further than the last. Americans have been told those lines would hold.
The data broker loophole is the argument that they do not. If a federal agency can obtain, through a purchase order, information that a judge would have to authorize if the agency collected it directly, then the constitutional line has been redrawn without a single ruling, vote, or public debate. It has been redrawn by procurement.
Closing that loophole is a separate fight from the warrant requirement currently blocking the Section 702 reauthorization. It should not be conflated with that fight. But it cannot be ignored, either. A warrant requirement for 702 queries, passed next week or next month, that leaves the commercial pipeline untouched, is a victory that does not reach the larger problem. The reformers pushing the warrant fight know that. The agencies that have spent a decade building the commercial pipeline know it too.
The public — most of it — does not. That is the loophole's most durable protection.