Executive Summary

  • Federal agencies including the FBI, DHS, ICE, and the IRS routinely purchase Americans' cell phone location data, travel records, and browsing history from commercial data brokers — bypassing the Fourth Amendment's warrant requirement entirely.
  • The FBI signed a contract worth up to $27 million with Babel Street for 5,000 licenses to its "Locate X" product, which converts app-derived location data into a searchable surveillance tool, according to federal procurement records reported by WebProNews.
  • In February 2026, the Department of Homeland Security signed a $1 billion contract with Palantir Technologies to deploy AI-powered data analytics across all DHS components, according to reporting by SiliconANGLE.
  • Seventeen state attorneys general have demanded Congress close the "data broker loophole." Section 702 of FISA expires April 20 — the best legislative vehicle for reform that privacy advocates are likely to see this year.

Your weather app knows where you sleep. Your prayer app knows where you worship. Your navigation app knows the route you drive to work, the school where you drop off your children, and the doctor's office you visited last Tuesday afternoon.

You did not give that information to the government. But the government has it anyway.

Here is how it works, what it costs, and why no court has stopped it.

The Fourth Amendment Has a Price Tag

The Supreme Court settled the constitutional question in 2018. In Carpenter v. United States, Chief Justice John Roberts wrote for a 5-4 majority that cell phone location data reveals "the privacies of life" and that the government must obtain a warrant to access it. The decision extended Fourth Amendment protections to the kind of granular digital tracking that previous courts had never contemplated.

The federal government's response was not to comply. It was to find a workaround.

The workaround is commercial data brokers — companies that aggregate location data harvested from mobile apps and sell it in bulk. When you install an app that requests location permissions, that app frequently shares your coordinates with advertising networks and data aggregators. Those aggregators package the data and sell it to anyone willing to pay: marketers, hedge funds, and federal law enforcement agencies.

The legal theory is a relic. The "third-party doctrine," established in Smith v. Maryland (1979), holds that information voluntarily shared with a third party carries no reasonable expectation of privacy. The Carpenter decision explicitly narrowed that doctrine for cell phone location data — but only when the government compels a carrier to hand it over. If the government buys the same data on the open market from a broker, the purchase falls into a gap that no federal statute currently closes.

Privacy lawyers call it the data broker loophole. Federal agencies call it procurement.

What the Government Is Buying

The contracts are public. The scale is not hypothetical.

The FBI signed a contract worth up to $27 million with Babel Street for 5,000 licenses to its "Locate X" product, according to federal procurement records reported by WebProNews. Locate X allows users to draw a digital fence around any address or area, identify every mobile device that entered that zone, and track where those devices traveled in prior months — all without a warrant, a subpoena, or judicial oversight of any kind. Babel Street purchases its data from Venntel, a subsidiary of the marketing data firm Gravy Analytics, according to reporting by The Intercept.

The Department of Homeland Security has purchased cell phone location data from commercial vendors since at least 2017, according to the DHS Inspector General. In February 2026, DHS signed a $1 billion, five-year contract with Palantir Technologies to deploy AI-powered data analytics across all DHS components — including Customs and Border Protection, Immigration and Customs Enforcement, the Federal Emergency Management Agency, and the Cybersecurity and Infrastructure Security Agency, according to reporting by SiliconANGLE. The contract allows multiple DHS agencies to access Palantir platforms without initiating separate competitive procurements for each deployment.

ICE maintains a separate $30 million contract with Palantir for a system called "ImmigrationOS," which applies machine learning to enforcement databases, biometric systems, financial records, and travel data, according to federal procurement records reported by Axios.

The IRS Criminal Investigation division has purchased location data from Venntel, according to reporting by The Intercept. The Secret Service has purchased location data derived from mobile apps through Babel Street's Locate X product, according to contract documents first reported by Motherboard.

Customs and Border Protection paid Babel Street more than $2.7 million for an annual subscription to its social media and location tracking tools, plus an additional $265,000 the following year, and separately purchased access to Venntel's location database, according to reporting by Vice News.

None of these purchases required a warrant. None were reviewed by a judge. None were subject to the probable cause standard that the Fourth Amendment requires for direct government surveillance.

Why Existing Law Does Not Stop It

The Electronic Communications Privacy Act of 1986 prohibits phone companies and internet service providers from selling customer data directly to the government without legal process. But the law was written before data brokers existed. The companies that are legally barred from selling your data to the FBI can sell it to Gravy Analytics, which sells it to Venntel, which sells it to Babel Street, which sells it to the FBI. Each intermediary launders the constitutional problem one step further from judicial review.

The Foreign Intelligence Surveillance Act governs how intelligence agencies collect communications of foreign targets — but Section 702, which expires April 20, contains no prohibition on purchasing commercially available data as a substitute for the collection it authorizes. The 2024 reauthorization through the Reforming Intelligence and Securing America Act (RISAA) added some restrictions on U.S. person queries but left the data broker loophole untouched.

The result is a surveillance architecture that operates entirely outside the warrant framework the Constitution requires. The FBI conducted approximately 200,000 warrantless searches of Americans' data per year before the 2024 reforms, according to the Electronic Privacy Information Center. After RISAA's new restrictions took effect, the officially reported number dropped to 5,518 U.S. person queries in 2024 — but the FBI's own overseers discovered that the Bureau had been using a querying tool that bypassed the required compliance procedures, meaning the actual total is unknown, according to reporting by Nextgov/FCW. In 2025, the reported number rose 35 percent to 7,413 queries, according to a Department of Justice official letter reported by Nextgov/FCW.

Why It Matters Beyond Privacy

The data broker loophole is not only a privacy issue. It is a structural accountability problem.

When the government obtains a warrant, a judge reviews the application. There is a paper trail. There is oversight. There is a check on arbitrary power. When the government buys data from a broker, none of those checks exist. The purchase goes through a procurement office, not a courtroom. No judge evaluates whether there is probable cause. No record is created that a defense attorney can challenge. The transaction looks like office supply procurement, not surveillance.

This means the government can track the movements of journalists, political organizers, religious congregants, and ordinary citizens — anyone whose phone pings a cell tower — without any judicial oversight and without the target ever knowing. Every church, every synagogue, every temple, every political rally, every doctor's office visit generates location data that is commercially available and constitutionally unprotected under current law.

The principle at stake is not abstract. If the government can buy the location data of every person who attended a Baptist revival, it can buy the location data of every person who attended a political protest. If it can track which families visit which houses of worship, it can build a map of every religious community in the country — sorted by faith, by frequency of attendance, by geographic concentration. No warrant. No oversight. No limit.

The Reform That Almost Passed

Congress came within one vote of closing the loophole.

During the 2024 FISA reauthorization debate, a bipartisan amendment requiring a warrant for U.S. person queries failed in the House by a tie vote of 212-212, according to the official House Clerk vote record. Speaker Mike Johnson switched his vote to break the tie against the warrant requirement.

This cycle, the Government Surveillance Reform Act — introduced by Senators Ron Wyden (D-OR) and Mike Lee (R-UT), with companion legislation from Representatives Warren Davidson (R-OH) and Zoe Lofgren (D-CA) — would require warrants for queries that return Americans' communications and would prohibit agencies from purchasing Americans' private data from commercial brokers as a substitute for obtaining a warrant, according to the bill summary released by Senator Wyden's office.

Seventeen state attorneys general, led by Connecticut Attorney General William Tong, sent a letter to congressional leadership demanding Congress close the loophole, require warrants for federal access to digital data, and mandate deletion of unlawfully collected information and the AI models trained on it, according to the Connecticut Attorney General's office. A separate coalition of more than 130 civil society organizations has urged Congress not to reauthorize Section 702 without the data broker ban, according to the Brennan Center for Justice.

The Congressional Progressive Caucus — 98 House Democrats — has formally voted to oppose any FISA reauthorization without "dramatic reforms," according to reporting by State of Surveillance. Combined with libertarian-leaning Republicans who have historically opposed warrantless surveillance, the reform coalition has the votes to block a clean extension — if it holds.

What You Can Do

The data broker economy runs on a simple exchange: apps collect your location in exchange for free services, and brokers buy that data in bulk. Every American with a smartphone is a node in this system. Reducing your exposure requires deliberate choices.

Review the location permissions on every app on your phone. Any app that has "always on" location access is a potential data source for the broker pipeline. Weather apps, prayer apps, coupon apps, and games are among the most common collectors. Disable location access for every app that does not require it to function. For apps that do require it, switch permissions from "always" to "only while using."

Disable your phone's advertising identifier — the unique tag that allows brokers to link your location data across apps. On iPhone, go to Settings, then Privacy and Security, then Tracking, and disable "Allow Apps to Request to Track." On Android, go to Settings, then Privacy, then Ads, and select "Delete advertising ID."

These steps reduce your visibility in the commercial data market. They do not eliminate it. La Verdad Tejana has published a step-by-step guide in Spanish for protecting your phone from ICE tracking — a practical resource for the communities most directly affected by the data broker pipeline. The only measure that closes the loophole at its source is legislation — a federal law that treats purchased data the same way the Constitution treats compelled data.

Congress has six days.

Related Bastion Daily coverage: Seventeen AGs Demand Congress Close the Loophole | What Is Section 702? | The FBI Director's Admission