[House Hearing, 117 Congress]
[From the U.S. Government Publishing Office]


                           DIGITAL DRAGNETS:
                  EXAMINING THE GOVERNMENT'S ACCESS TO 
                           YOUR PERSONAL DATA

=======================================================================

                                HEARING

                               BEFORE THE

                       COMMITTEE ON THE JUDICIARY

                     U.S. HOUSE OF REPRESENTATIVES

                    ONE HUNDRED SEVENTEENTH CONGRESS

                             SECOND SESSION

                               __________

                         TUESDAY, JULY 19, 2022

                               __________

                           Serial No. 117-74

                               __________

         Printed for the use of the Committee on the Judiciary
         
[GRAPHIC NOT AVAILABLE IN TIFF FORMAT]         


               Available via: http://judiciary.house.gov
               
                               __________

                    U.S. GOVERNMENT PUBLISHING OFFICE                    
48-809                     WASHINGTON : 2022                     
          
-----------------------------------------------------------------------------------                
               
                       COMMITTEE ON THE JUDICIARY

                    JERROLD NADLER, New York, Chair
                MADELEINE DEAN, Pennsylvania, Vice-Chair

ZOE LOFGREN, California              JIM JORDAN, Ohio, Ranking Member
SHEILA JACKSON LEE, Texas            STEVE CHABOT, Ohio
STEVE COHEN, Tennessee               LOUIE GOHMERT, Texas
HENRY C. ``HANK'' JOHNSON, Jr.,      DARRELL ISSA, California
    Georgia                          KEN BUCK, Colorado
THEODORE E. DEUTCH, Florida          MATT GAETZ, Florida
KAREN BASS, California               MIKE JOHNSON, Louisiana
HAKEEM S. JEFFRIES, New York         ANDY BIGGS, Arizona
DAVID N. CICILLINE, Rhode Island     TOM McCLINTOCK, California
ERIC SWALWELL, California            W. GREG STEUBE, Florida
TED LIEU, California                 TOM TIFFANY, Wisconsin
JAMIE RASKIN, Maryland               THOMAS MASSIE, Kentucky
PRAMILA JAYAPAL, Washington          CHIP ROY, Texas
VAL BUTLER DEMINGS, Florida          DAN BISHOP, North Carolina
J. LUIS CORREA, California           MICHELLE FISCHBACH, Minnesota
MARY GAY SCANLON, Pennsylvania       VICTORIA SPARTZ, Indiana
SYLVIA R. GARCIA, Texas              SCOTT FITZGERALD, Wisconsin
JOE NEGUSE, Colorado                 CLIFF BENTZ, Oregon
LUCY McBATH, Georgia                 BURGESS OWENS, Utah
GREG STANTON, Arizona
VERONICA ESCOBAR, Texas
MONDAIRE JONES, New York
DEBORAH ROSS, North Carolina
CORI BUSH, Missouri

        AMY RUTKIN,  Majority Staff Director and Chief of Staff
               CHRISTOPHER HIXON, Minority Staff Director
                                 ------                                
                            
                            C O N T E N T S

                              ----------                              

                         Tuesday, July 19, 2022

                                                                   Page

                           OPENING STATEMENTS

The Honorable Jerrold Nadler, Chair of the Committee on the 
  Judiciary from the State of New York...........................     1
The Honorable Jim Jordan, Ranking Member of the Committee on the 
  Judiciary from the State of Ohio...............................     3

                               WITNESSES

The Honorable Bob Goodlatte, Senior Policy Advisor, Project for 
  Privacy & Surveillance Accountability; Former Chair, House 
  Judiciary Committee
  Oral Testimony.................................................     6
  Prepared Testimony.............................................     8
Sarah Lamdan, Professor of Law, The City University of New York 
  School of Law
  Oral Testimony.................................................    15
  Prepared Testimony.............................................    17
Rebecca Wexler, Faculty Co-Director, Berkeley Center for Law & 
  Technology and Assistant Professor of Law, University of 
  California, Berkeley, School of Law
  Oral Testimony.................................................    27
  Prepared Testimony.............................................    29
Brett Tolman, Executive Director, Right on Crime
  Oral Testimony.................................................    32
  Prepared Testimony.............................................    34
Elizabeth Goitein, Senior Director, Liberty & National Security 
  Program, Brennan Center for Justice
  Oral Testimony.................................................    38
  Prepared Testimony.............................................    40

          LETTERS, STATEMENTS, ETC. SUBMITTED FOR THE HEARING

Statement from Caitlin T. Chin, Fellow, Strategic Technologies 
  Program, Center for Strategic & International Studies, 
  submitted by the Honorable Jerrold Nadler, Chair of the 
  Committee on the Judiciary from the State of New York, for the 
  record.........................................................    58
Materials submitted by the Honorable Andy Biggs, a Member of the 
  Committee on the Judiciary from the State of Arizona, for the 
  record
  An article entitled, ``Defense Firm Said U.S. Spies Backed Its 
    Bid for Pegasus Spyware Maker,'' The New York Times..........    70
  An article entitled, ``F.B.I. Secretly Bought Israeli Spyware 
    and Explored Hacking U.S. Phones,'' The New York Times.......    74
  An article entitled, ``F.B.I. Told Israel It Wanted Pegasus 
    Hacking Tool for Investigations,'' The New York Times........    77
  An article entitled, ``The New Spy Wars,'' The New York Times..    80
Materials submitted by the Honorable Zoe Lofgren, a Member of the 
  Committee on the Judiciary from the State of California, for 
  the record
  An article entitled, ``New Records Detail DHS Purchase and Use 
    of Vast Quantities of Cell Phone Location Data,'' American 
    Civil Liberties Union........................................    84
  An article entitled, ``ICE Searched LexisNexis Database Over 1 
    Million Times In Just Seven Months,'' The Intercept..........    88
  A report entitled, ``American Dragnet: Data-Driven Deportation 
    in the 21st Century,'' Georgetown Law Center on Privacy & 
    Technology...................................................    95
Materials submitted by the Honorable Matt Gaetz, a Member of the 
  Committee on the Judiciary from the State of Florida, for the 
  record
  An article entitled, ``Disney takes over Hulu, a company with 
    serious data collection issues,'' Kim Komando................   214
  An article entitled, ``Disneyland is tracking guests and 
    generating big profits doing it,'' Los Angeles Times.........   219
  An article entitled, ``Disney Facing Lawsuit Over Collecting 
    and Selling Children's Personal Information,'' Werner Travel 
    Media........................................................   223
  An article entitled, ``Disney Uses Big Data, IoT And Machine 
    Learning To Boost Customer Experience,'' Forbes..............   225
Materials submitted by the Honorable Sylvia Garcia, a Member of 
  the Committee on the Judiciary from the State of Texas, for the 
  record
  An article entitled, ``Homeland Security records show 
    `shocking' use of phone data, ACLU says,'' Politico..........   232
  An article entitled, ``ICE investigators used a private utility 
    database covering millions to pursue immigration 
    violations,'' The Washington Post............................   241
  An article entitled, ``Federal Agencies Use Cellphone Location 
    Data for Immigration Enforcement,'' The Wall Street Journal..   244

                                APPENDIX

A letter from the Disinfo Defense League, July 19, 2022, 
  submitted by the Honorable Jerrold Nadler, Chair of the 
  Committee on the Judiciary from the State of New York, for the 
  record.........................................................   280

                 QUESTIONS AND RESPONSES FOR THE RECORD

Questions for Elizabeth Goitein and the Honorable Bob Goodlatte, 
  submitted by the Honorable Ted Lieu, a Member of the Committee 
  on the Judiciary from the State of California, for the record..   286
Responses from Elizabeth Goitein, submitted by the Honorable Ted 
  Lieu, a Member of the Committee on the Judiciary from the State 
  of California, for the record..................................   287
Responses from the Honorable Bob Goodlatte, submitted by the 
  Honorable Ted Lieu, a Member of the Committee on the Judiciary 
  from the State of California, for the record...................   291

 
                                     
                           DIGITAL DRAGNETS:
        EXAMINING THE GOVERNMENT'S ACCESS TO YOUR PERSONAL DATA

                              ----------                              


                         Tuesday, July 19, 2022

                     U.S. House of Representatives

                       Committee on the Judiciary

                             Washington, DC

    The Committee met, pursuant to call, at 10:03 a.m., in Room 
2141, Rayburn House Office Building, Hon. Jerrold Nadler [Chair 
of the Committee] presiding.
    Members present: Representatives Nadler, Lofgren, Jackson 
Lee, Johnson of Georgia, Cicilline, Swalwell, Raskin, Jayapal, 
Scanlon, Garcia, McBath, Stanton, Dean, Escobar, Ross, Bush, 
Jordan, Chabot, Issa, Buck, Gaetz, Biggs, McClintock, Steube, 
Tiffany, Massie, Bishop, Fitzgerald, Bentz, and Owens.
    Staff present: Aaron Hiller, Chief Counsel and Deputy Staff 
Director; John Doty, Senior Advisor and Deputy Staff Director; 
Arya Hariharan, Chief Oversight Counsel; David Greengrass, 
Senior Counsel; Moh Sharma, Director of Member Services and 
Outreach & Policy Advisor; Jacqui Kappler, Oversight Counsel; 
Roma Venkateswaran, Professional Staff Member/Legislative Aide; 
Cierra Fontenot, Chief Clerk; Gabriel Barnett, Professional 
Staff Member; Casey Lee, Staff Assistant; Merrick Nelson, 
Digital Director; Elliott Walden, Minority Counsel; Michael 
Koren, Minority Senior Professional Staff Member; Andrea 
Woodard, Minority Professional Staff Member; and Kiley 
Bidelman, Minority Clerk.
    Chair Nadler. The House Committee on the Judiciary will 
come to order. Without objection, the Chair is authorized to 
declare recesses of the Committee at any time. We welcome 
everyone to this morning's hearing on Digital Dragnets: 
Examining the Government's Access to Your Personal Data.
    Before we begin, I would like to remind Members that we 
have established an email address and distribution list 
dedicated to circulating exhibits, motions, or other written 
materials that Members might want to offer as part of our 
hearing today. If you would like to submit materials, please 
send them to the email address that has been previously 
distributed to your offices, and we will circulate the 
materials to Members and staff as quickly as we can.
    I will now recognize myself for an opening statement after 
observing that the proceeding was probably not known when Bob 
Goodlatte was Chair of this Committee before we went into all 
this stuff.
    Data is often called the oil of the 21st century, and the 
rush to participate in the market for data has made the 
tracking of our personal information an inescapable part of 
daily life. From web hosts and cell phones to service providers 
and mobile applications, companies that provide online services 
are part of an ever-growing industry around the collection and 
commodification of our data.
    Private companies now compete with each other to manage 
these enormous troves of information. This trend alone presents 
significant privacy concerns. It is even more troubling that 
law enforcement and intelligence agencies at all levels of 
government are purchasing this data for their own use, often 
sidestepping protections designed to limit the direct 
acquisition of the exact same information.
    Simply put, law enforcement and intelligence agencies are 
now able to obtain vast quantities of information that would 
otherwise be unavailable to them without a warrant. Your 
physical location, personal habits, internet searches, likes 
and dislikes, and politics, to name just a few private 
concerns, are all available and accessible to the government.
    The easy availability of personal data to the government 
poses significant risks to minorities, to those with unpopular 
views, to our system of justice, and ultimately, to the 
stability of our democracy itself. Our founders understood what 
a country without protection from unwarranted search and 
seizure looks like. They knew that, to protect the citizens of 
the fledgling United States of America from the government it 
was creating, it was essential to provide basic guidelines for 
law enforcement to follow, which they did in the Fourth 
Amendment.
    Recent advances have allowed the technology of data 
collection to get ahead of the laws protecting our privacy. 
This overreach is clear from recent scandals that include the 
pervasive use of geolocation data to track peaceful protesters, 
the sweeping surveillance of thousands of devices to identify 
just two suspects, and the purchase of data from prayer apps 
and dating apps.
    What links these incidents and others together is a 
disturbing trend, the increasing reliance of law enforcement on 
massive data sets with little consideration for due process. It 
is, plain and simple, the warrantless surveillance of everyday 
Americans. It may have dire consequences.
    For example, women across the country who wonder what 
America will look like in the wake of the Dobbs decision are at 
particular risk for this data surveillance. In States where 
abortion is now a crime, law enforcement can use available data 
to keep track of who searches online for the words miscarriage 
or abortion. They can purchase geolocation data to monitor 
which phones travel out of State to go to a medical provider. 
They can access the data from tracking apps or purchase 
integrated data profiles to see or even predict if and when a 
woman may be pregnant or may be likely to seek an abortion.
    The more we learn the more we realize that there are few 
measures in place to shield our digital footprints from the 
hands of government agencies. Every person sitting in this room 
likely has a cell phone with them today that is tracking 
location, use, and communications to and from the device. 
Private companies will sweep up that information, package it, 
and sell it for uses ranging from the most benign microtargeted 
advertisement to the most invasive digital profile.
    Law enforcement and intelligence agencies clearly have an 
interest in those commercial products, especially where due 
process concerns would make it difficult for those agencies to 
acquire the data directly.
    Although some companies claim to sell only anonymized data 
or never to sell to the government, experts agree that both 
guarantees are empty promises. When there is no constraint on 
the future use or sale of individual data, companies have no 
control over reidentification of that data and no control over 
where it goes next.
    Although we do not know the full scope of the Federal 
government's access to and use of these commercial products, 
some government contracts give us a sense of scale. For 
example, ICE, the DEA, and the FBI each contract with a data 
broker that sources location data from over 80,000 apps. The 
products are so precise that officers can track individuals 
within specific homes and businesses, again tracking your 
location over time, within inches, without any due process 
whatsoever.
    The problem is not limited to the purchase of data. So-
called reverse search warrants allow law enforcement agencies 
to make broad requests for a company's data, such as every 
person who searched for a specific term or every person who is 
in a particular place over some period of time, totally 
upending traditional notions of a narrowly tailored warrant 
based on probable cause.
    The end result is that just by going about your daily life 
your data may be swept up in and make you the subject of a 
criminal investigation. Investigations this broad and baseless 
present significant risk of mistaken identity and have led to 
erroneous arrests in many cases.
    If law enforcement and intelligence agencies remain 
unrestrained in their ability to purchase this data, our right 
to privacy will be, at best, illusory. I look forward to 
hearing from our distinguished Witnesses about how pervasive 
this problem is and how we can best rebalance the law to 
protect our liberty.
    I now recognize the Ranking Member of the Judiciary 
Committee, the gentleman from Ohio, Mr. Jordan, for his opening 
statement.
    Mr. Jordan. Thank you, Mr. Chair. I want to thank you for 
having this hearing and for our Witnesses, all our Witnesses 
who are here today. I look forward to their testimony.
    Over the last year, we have seen how big government has 
threatened almost every freedom Americans enjoy. I mean, just 
stop and think about it for a second. The First Amendment 
rights we enjoy, your right to practice your faith, your right 
to assemble, right to petition the government, freedom of 
press, freedom of speech, every single one has been attacked, 
has been assaulted over the last year by government.
    Until a few months ago there were still places in the 
country where a full congregation couldn't meet on Sunday 
morning, your right to assemble. I always use the example, 
about a year and a half ago I spoke to the New Mexico 
Republican Party in Amarillo, Texas, because they had to go to 
Texas for the freedom to assemble and meet in the size group 
that they wanted to meet.
    The ability to petition your government, again, until a few 
months ago, you couldn't even, American citizens couldn't even 
go into their Capitol to talk to their Member of Congress to 
petition them to redress their grievances because the Speaker 
of the House wouldn't let them in.
    We know what has happened with freedom of press and freedom 
of speech. The government was trying to--they did for like 
three weeks, then, thank goodness, they cancelled it. They 
tried to form a Disinformation Governance Board, for goodness' 
sake. So, First Amendment attacks we have seen.
    We know about the Second Amendment attacks. There is going 
to be one tomorrow in this Committee, a markup on a bill to 
limit the Second Amendment rights law abiding Americans enjoy.
    Of course, today the focus is on our Fourth Amendment 
rights. Never before in our history has the government known 
more about its citizens and had more sophisticated tools for 
spying on us than right now. Not only does government have the 
technological abilities to gather large amounts of information 
about us, but the law is also in many ways outdated and on the 
side of those doing the spying rather than on those being spied 
on. This is wrong, and it is un-American.
    The Foreign Intelligence Surveillance Act was originally 
intended by Congress to reign in abuses from the intelligence 
community in the '60s and '70s, spies that grew out of the 
Senate Church Committee Investigation, which uncovered, among 
other things, that the CIA was infiltrating political 
organizations.
    Over time what were supposed to be guardrails have turned 
into loopholes for legitimizing a surveillance dragnet. Nowhere 
was this more obvious than when the FBI, Director Comey and his 
cronies, misused the FISA program to target a presidential 
campaign. It took years for us to uncover the systematic abuses 
that allowed Comey and the FBI to spy on an American President. 
If the FBI can do it, and this is critical, if the FBI can do 
it to a presidential campaign, they can do it to anyone, any 
American citizen.
    Still, FISA remains broken and in desperate need of serious 
reform. It is our hope that Congress will be ready soon to move 
serious legislation to stop these abuses and provide for more 
transparency and accountability in the FISA process.
    The problem is hardly limited to FISA. The mass adoption of 
electronic devices that collect data on every aspect of our 
lives has allowed new avenues for surveillance that require us 
to rethink the law.
    I want to thank former Chair Goodlatte for joining us 
today. Among other things, Chair Goodlatte shepherded through 
much needed reforms to the Electronic Communications Privacy 
Act, or ECPA. That reform legislation was reported out of this 
Committee and passed the House twice. Unfortunately, it did not 
get through the Senate. It is high time that Congress reform 
that law. This should be low-hanging fruit to protect 
Americans' privacy.
    That legislation is woefully outdated. It was signed into 
law in 1986 before the modern internet existed. It has left 
many loopholes for warrantless surveillance that are regularly 
exploited by law enforcement.
    Earlier this year this Committee sought to close one such 
loophole when we passed legislation to put restrictions on gag 
orders that prevent third parties from telling their customers 
that their information is being solicited by the government.
    We still have much work to do. This must include us taking 
a hard look at government's warrantless access to commercially 
available bulk data and its use of tools like Pegasus that 
allow them to spy on encrypted mobile devices. It should also 
include us considering restrictions on the government's use of 
facial recognition technology within the United States to 
target citizens.
    I hope that we can work together, and we can begin the long 
overdue process of putting common sense guardrails in place to 
protect Americans' Fourth Amendment liberties. Mr. Chair, thank 
you again for this hearing. I do look forward to the discussion 
and the testimony from our Witnesses.
    Chair Nadler. Thank you, Mr. Jordan. Without objection, all 
other opening statements will be included in the record.
    I will now introduce today's Witnesses.
    Bob Goodlatte is Senior Policy Advisor for the Project for 
Privacy and Surveillance Accountability and is also the former 
Chair of the House Judiciary Committee, that is to say of this 
Committee, as well as the former Chair of the House Agriculture 
Committee. Chair Goodlatte served in the House with distinction 
from 1993-2019. He received his B.A. from Bates College and his 
J.D. from Washington and Lee University. It is our great 
pleasure to welcome him back to this Committee.
    Sarah Lamdan is a Professor of Law at the City University 
of New York School of Law whose research focuses on information 
law and policy. She is also a fellow at the Engelberg Center on 
Innovation Law & Policy at NYU School of Law. Professor Lamdan 
received her undergraduate and law degrees from the University 
of Kansas and a master's degree from Emporia State University's 
School of Library and Information Management.
    Rebecca Wexler is Faculty Co-Director of the Berkeley 
Center for Law and Technology and Assistant Professor of Law at 
the University of California, Berkeley, School of Law. Prior to 
attending law school, she made documentary films for national 
broadcast television, museums, and educational distribution. 
Professor Wexler received her B.A. from Harvard College, her 
Master of Philosophy from Cambridge University, and her J.D. 
from Yale Law School.
    Brett Tolman serves as Executive Director of Right on 
Crime. He is also the founder of the Tolman Group, focusing on 
public policy and government reform. Prior to entering private 
practice, he served as the United States Attorney for the 
District of Utah. Previously, he also served as Chief Counsel 
for Crime and Terrorism to the United States Senate Judiciary 
Committee. Mr. Tolman received his undergraduate and law 
degrees from Brigham Young University.
    Elizabeth Goitein, and I hope I have that pronunciation 
right, Elizabeth Goitein is Senior Director of the Liberty and 
National Security Program at the Brennan Center for Justice. 
Before coming to the Brennan Center, she served as counsel to 
Senator Russ Feingold on the Senate Judiciary Committee and as 
a trial attorney in the Federal Programs Branch of the Civil 
Division of the Department of Justice. Previously, she clerked 
for Judge Michael Daly Hawkins on the U.S. Court of Appeals for 
the Ninth Circuit. She received her undergraduate and law 
degrees from Yale University.
    We welcome our distinguished Witnesses, and we thank them 
for participating today. I will begin by swearing in our 
Witnesses. I ask that our Witnesses in person please rise and 
raise your right hand. I ask that our remote Witnesses please 
turn on your audio and make sure I can see your face and raised 
right hand while I administer the oath. Okay.
    Do you swear or affirm under penalty of perjury that the 
testimony you are about to give is true and correct to the best 
of your knowledge, information, and belief so help you God? Let 
the record show that the Witnesses have answered in the 
affirmative. Thank you and please be seated.
    Please note that each of your written statements will be 
entered into the record in its entirety. Accordingly, I ask 
that you summarize your testimony in five minutes. To help you 
stay within that time, there is a timing light on your table. 
When the light switches from green to yellow, you have one 
minute to conclude your testimony. When the light turns red, it 
signals your five minutes have expired. For our Witnesses 
appearing virtually, there is a timer on your screen to help 
you keep track of time.
    Chair Goodlatte, you may begin.

              STATEMENT OF THE HON. BOB GOODLATTE

    Mr. Goodlatte. Chair Nadler, Ranking Member Jordan, I am 
honored to be back before my colleagues today. I come in as the 
Senior Policy Advisor for the Project for Privacy & 
Surveillance Accountability, or PPSA, a non-partisan group that 
advocates for our Fourth Amendment protections and government 
surveillance reform. We work on a daily basis with about ten 
other civil liberties organizations across the ideological 
spectrum.
    A giant loophole we never imagined has weakened those 
protections. Government agencies are asserting they can flout 
the Fourth Amendment's requirement for a probable cause warrant 
by simply buying our personal data. Agencies ranging from the 
Defense Intelligence Agency to the IRS to likely the FBI and 
CIA as well are buying the personal data of millions of 
Americans they would otherwise have to get a warrant to obtain.
    Some of us are nonchalant about all the personal 
information companies like Facebook compile on us. Others are 
outraged at this corporate invasion of our privacy. I would 
add, however, that the extraction of our personal data by the 
government is far more ominous. No private party can break down 
your door at dawn, take you out in handcuffs, and prosecute 
you. No private party can fine you, enjoin you, restrain you, 
tax you, and deprive you of liberty and, yes, even life. Only 
the government can do that.
    Our very country was born out of anger and fear of what a 
government can do to people when it doesn't respect their 
privacy. The offensiveness of seizures of Americans' personal 
information by agents of the British Crown explains why the 
framers of the Constitution explicitly required a warrant based 
on probable cause.
    Now, government lawyers are embellishing this work of the 
framers by adding, ``unless we buy it.'' This practice defies 
the Fourth Amendment. It also defies Supreme Court opinions 
requiring warrants to access someone's location history from a 
cell tower and forbidding warrantless intrusion into a cell 
phone because it holds ``the privacies of life.''
    A reasonable interpretation of these opinions should have 
prompted government lawyers to tread lightly. Instead, like a 
flippant teenager, government lawyers take these restrictions 
as a sign that anything not expressly prohibited must be 
permissible. Thus, Senator Ron Wyden reports that the Defense 
Intelligence Agency informed his office it does not have to 
adhere to the Constitution or the Supreme Court Carpenter 
ruling when it buys data. That is outrageous.
    Even more outrageous is how data purchasing operates in 
practice. Just yesterday, the American Civil Liberties Union 
released thousands of pages of data showing that Department of 
Homeland Security agencies are paying millions of dollars to 
data brokers, one of which claims to collect more than 15 
billion, that is with a ``B,'' location points from over 250 
million mobile devices every day.
    The Department of Defense, for example, has used this 
tactic to access data from a dating app, Muslim Mingle. 
Imagine, this government agency managed to compromise the 
Fourth Amendment and degrade the First Amendment right to free 
exercise of religion in just one move.
    In February, Senators Wyden and Heinrich revealed that the 
CIA has engaged in bulk collection based not on a statutory 
authority but on Executive Order 12333, entirely outside of any 
judicial or statutory authority. This strongly suggests legal 
acrobatics similar to DOD's are at play at the CIA.
    Under current law, the government cannot obtain records 
from companies like Facebook and Google without a court order. 
Why should data brokers be treated any differently? The 
obscurity of the loophole the government is exploiting 
underscore how shaky its legal foundation is.
    The solution is, I suggest, the Fourth Amendment Is Not for 
Sale Act. This bill would close the loopholes in the law. It 
would forbid government agencies from buying personal data it 
would otherwise need a warrant or subpoena to obtain.
    When the Fourth Amendment Is Not for Sale passes, U.S. law 
enforcement and intelligence agencies will still have powerful 
legal tools at their fingertips with which to follow leads that 
can catch terrorists, spies, and dangerous criminals. They will 
just have to follow the rules.
    I thank Chair Nadler and Congresswoman Lofgren for their 
leadership in introducing this legislation. I also thank 
Ranking Member Jordan, who has expressed concern about the 
impact of the surveillance State on Americans' fundamental 
liberties and rights. Many Members on both sides of the aisle 
on this Committee and in the Congress as a whole have spoken 
out. Now, it is time to act.
    The more answers you can compel from the government about 
the scope and uses of purchased data the better we will be able 
to devise rules to protect the American people from lawless 
mass surveillance. Thank you.
    [The statement of the Hon. Goodlatte follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chair Nadler. Thank you, Chair Goodlatte.
    Professor Lamdan, you are now recognized for five minutes.

                   STATEMENT OF SARAH LAMDAN

    Ms. Lamdan. Chair Nadler, Ranking Member Jordan, and 
distinguished Members of the Committee, I thank you for the 
opportunity to speak here today about the government's use of 
personal data.
    Surveillance has always been a part of U.S. national 
security and public safety regimes. Traditionally, policing and 
intelligence work revolved around the compelled and targeted 
surveillance, traffic stops, particularized warrants, and other 
searches done on a person-by-person basis.
    These compelled surveillance methods are being replaced by 
voluntary surveillance method systems that are data driven, 
like automated license plate readers and dragnet reverse 
location and keyword warrants.
    People call these datafied surveillance systems voluntary, 
but most of us don't truly volunteer to be a part of them. We 
may technically consent to driving on a public road lined with 
cameras or clicking I agree to access an online service. These 
choices to trade our data for access are illusory. We must make 
them to participate in daily life.
    Every move we make online, including through the apps on 
our phones, connected home electronics, and wearable devices, 
generates data that can be collected, shared, and sold. Even 
when companies promise that they will anonymize our data, that 
data can easily be reidentified. In some cases, the government 
doesn't collect its own data or build its own data analytic 
systems, excuse me, in most cases.
    Several types of companies comprise our modern surveillance 
infrastructure.
    First, we have data analytics systems and products, so 
those are algorithms, machine learning systems, and other forms 
of artificial intelligence, that predict whether someone will 
commit a crime or default on a loan, et cetera.
    The second type of company is a designer data company, like 
a facial recognition or a biometric data company or a 
geospatial or geolocation data company that can pinpoint where 
you are located.
    The third type of companies are data brokers that provide 
huge dossiers containing information like our addresses, our 
work, and our credit histories.
    Together, these companies have become de facto primary fact 
finders in many law enforcement investigations. They have been 
called big brother's little helpers because they turn policing 
from a suspect-focused search into a constant, intrusive 
surveillance system that surveils all of us.
    Rather than focusing on particular suspects, data policing 
tools are dragnets, sifting through all of our data. They 
provide a 300-degree view of our lives, revealing where we go, 
who we know, and what we do each day. The data companies' 
services likely know more about you than your friends or family 
do.
    Even if you try to opt out of data collection, the 
companies create shadow profiles about you based on the data 
that your friends, family, and associates trail behind them 
when they go online. The data in these companies' products 
contain errors that are difficult, if not impossible, to 
correct and the data analytics systems themselves are 
notoriously inaccurate.
    Without oversight and supervision, it is hard to figure out 
exactly how the government uses data analytics products. This 
obscurity flouts freedom of information laws. Legal loopholes 
put the industry beyond the scope of due process protections 
that are built into our laws and administrative procedures. 
Some legal experts posit that the government agencies do their 
work through these companies intentionally to buy their way 
around due process requirements.
    Without legal safeguards, there is no limit on what kinds 
of surveillance products agencies use and how they use them. 
Agencies don't monitor how employees use the products, so 
employees use the systems to make questionable searches.
    The government's partnerships with data companies are ripe 
for legislative oversight. Laws should require that the public 
be notified about how and why their data is being collected and 
used. These notices should set specific purposes and timelines 
for data programs. The programs should be audited regularly to 
be sure that they are being implemented for their intended 
purposes.
    Programs that use personal data should be transparent and 
provide for public comment. People should be able to consent to 
the collection of their personal data and to see and correct 
their data sets, even when those data sets are provided by a 
third party. There should be processes to ensure that when the 
government implements data programs it is using accurate data 
and unbiased data analytics systems that properly serve their 
assigned purposes.
    As the government continues to work with data companies to 
build its surveillance infrastructure, we must balance the need 
for robust national security and public safety and the benefits 
of quick and easy data services with the privacy and civil 
rights of the American public. I look forward to answering your 
questions.
    [The statement of Ms. Lamdan follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chair Nadler. Thank you, Professor Lamdan.
    Professor Wexler, you are now recognized for five minutes.

                  STATEMENT OF REBECCA WEXLER

    Ms. Wexler. Mr. Chair and Members of the Committee, my name 
is Rebecca Wexler. I am an Assistant Professor of Law at the 
University of California, Berkeley, School of Law. I am honored 
to have been invited to testify today about how law enforcement 
collection of data through private intermediaries can conceal 
evidence of innocence by circumventing criminal defense 
discovery rights.
    Collecting data from private intermediaries rather than 
seizing it directly not only allows law enforcement to collect 
more information more easily, an underappreciated aspect of 
this practice is that it also allows law enforcement to collect 
less evidence of innocence. When law enforcement does not 
possess exculpatory evidence, it can be much harder for the 
defense to access it, risking wrongful convictions.
    Let me give some examples. When law enforcement purchases 
data from intermediaries or uses private biometric databases or 
licenses surveillance software from private companies, the 
officers can stay ignorant of flaws in the data. They don't 
have to learn whether the data were acquired in violation of a 
privacy statute or through breach of contract or through 
unlawful hacking. They don't have to learn about errors in 
quality control that could have corrupted the data or rendered 
it unreliable or subject to tampering. They don't have to learn 
about bugs or improper validation studies or racial and other 
biases in the software used to acquire the data.
    Indeed, private companies sometimes claim this type of 
information is a trade secret. They refuse to disclose it even 
to their own law enforcement customers, much less in response 
to a subpoena. Yet, all that information could be exculpatory 
evidence relevant to prove innocence and stop wrongful 
convictions.
    If law enforcement seizes data directly, they are much more 
likely to know these flaws because they will collect the data 
closer to its point of origin or they will build the database 
for surveillance software directly. If they acquire data from 
private intermediaries, they are much more likely not to know 
because they can acquire the final data output without any 
other information. When law enforcement is ignorant of flaws in 
their data or in data collection methods, it is harder for 
defendants to access that exculpatory evidence.
    Here is why. If law enforcement is ignorant of exculpatory 
evidence, defendants' constitutional Brady due process rights, 
which as you know would otherwise require the prosecution to 
disclose evidence of innocence, do not apply. Defendants' 
statutory discovery rights to obtain exculpatory evidence from 
the prosecution do not apply. If defendants exercise their 
Sixth Amendment rights to call law enforcement officers to the 
witness stand, cross examination will be futile.
    Meanwhile, current evidence rules permit prosecution 
witnesses to introduce data into evidence even if they are 
ignorant about flaws in the data or the method of collecting 
it. Nor is it easy for defendants to get information about such 
flaws directly from a private company. In a catch-22, 
defendants can't subpoena companies directly for exculpatory 
evidence unless they already know the evidence exists and can 
identify it with specificity. That is a task that is virtually 
impossible for evidence you have not yet seen. Trying to get 
criminal defense subpoenas enforced across State lines can be 
prohibitively costly and time consuming.
    Further, vendors of surveillance technologies sometimes say 
that their products are for law enforcement customers only and 
refuse to give or sell copies to criminal defense experts for 
scrutiny and testing. Indeed, some companies even refuse 
research licenses to independent scientists to scrutinize their 
products, all the while claiming in court that those products 
are subject to peer review.
    In sum, it is much harder for criminal defense counsel to 
access exculpatory evidence about flaws in data collected 
through private intermediaries as opposed to data collected by 
law enforcement directly.
    To help fix this problem, Congress should consider ways to 
protest defense counsels' access to exculpatory evidence, for 
instance, eliminate the trade secret evidentiary privilege for 
private entities that sell data and investigative software to 
law enforcement, clarify that the Stored Communications Act 
does not block criminal defense subpoenas to technology 
companies, strengthen defendants' general third-party subpoena 
powers, and require law enforcement to obtain exculpatory 
evidence on behalf of the accused if defense counsel is unable 
to obtain it directly.
    Thank you for the opportunity to testify today. I look 
forward to your questions.
    [The statement of Ms. Wexler follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chair Nadler. Thank you, Professor Wexler.
    Mr. Tolman, you are now recognized for five minutes.

                   STATEMENT OF BRETT TOLMAN

    Mr. Tolman. Thank you, Mr. Chair Nadler, Ranking Member 
Jordan, and Members of this Committee, and thank you for the 
opportunity to testify today.
    I am encouraged by the Committee's decision to hold a 
hearing to address concerns around law enforcement's 
warrantless access to commercially available bulk data. These 
concerns are valid, and I share them.
    The Fourth Amendment affords Americans an expectation of 
privacy with respect to their person and property such that if 
law enforcement wishes to gain access to their personal 
records, they must first establish probable cause to search to 
secure a warrant which they make available to the individual 
subject to search.
    The Supreme Court has ruled that a person's expectations to 
privacy under the Fourth Amendment follows them, not a 
particular location. Well, what about an individual's digital 
footprint? Is there a reasonable expectation of privacy 
attached to both records containing an individual's digital 
record? Yes. As such, the Fourth Amendment demands a warrant 
predicate to access this information.
    With constant evolution of technology and the digital 
footprints that individuals generate as a result expose 
opportunities for end runs or around the Fourth Amendment's 
privacy guarantees. Therefore, use of technology by the 
government upon its citizens must be subject to constant 
scrutiny. To that end, I am critical of the law enforcement 
practice of purchasing databases in bulk which they then mine 
or dare I say search for incriminating information against 
unwitting citizens as violating the expectation of privacy 
guaranteed under the Fourth Amendment. This access by law 
enforcement of an individual's digital records and movements is 
purchased, rather than obtained by a warrant as required by the 
Fourth Amendment.
    Americans' personal data is sold to law enforcement 
unbeknownst to them and for the purpose of investigating or 
surveilling. This is a violation, plain and simple.
    Congressional attention and oversight concerning the law of 
transparency and basic information relating to law 
enforcement's access to an individual's digital movements must 
persist to ensure the rights of citizens are not sacrificed on 
the altar of technological innovation. Private technology 
companies that contract with law enforcement harvest billions 
of photos posted by unsuspected users on platforms such as 
Facebook, YouTube, Venmo, and TikTok. This collection and data 
grab amounts to unprecedented invasions of privacy that places 
enormous undue control in the hands of the government and big 
tech, two entities not always known for their light touch or 
responsible use of power.
    Just because law enforcement collects the data from a third 
party that maintain the same for commercial purposes does not 
negate one's reasonable expectation of privacy when the data 
tracks their movement and location. Inevitably, law enforcement 
will default to reliance on unfettered access to digital 
records from third parties, if permitted to bypass a warrant. 
They may do so touting laudatory uses such as identifying 
missing persons, but a right abuse for any reason is still an 
abuse and its expansion and use is inevitable.
    Our Founding Fathers deliberately and prudently enshrined 
in the Bill of Rights prescriptions on the wanton search of 
Americans as a necessary bulwark for freedom. It is hard to 
square these notions and protections with the unfettered access 
to digital records that can instantaneously reveal an 
individual's identity, location, communication, movements, 
associations, and otherwise.
    Americans have long prided themselves on our ability to 
refuse the government unless it has legitimate cause to 
interfere with our liberty. Our police, at least in the absence 
of reasonable suspicion of wrongdoing, are supposed to rely on 
the consent of the citizenry and their interactions. The 
unfettered power to mine personal information with little 
public awareness or transparency stands this principle on its 
head.
    Law enforcement has already accessed all the information 
needed to track down. Americans are placed in a position where 
they must choose between the convenience and necessity of 
technology against their right to privacy from government 
surveillance. Furthermore, we cannot ignore the risk that 
access to commercially available digital records without a 
warrant will be used to target certain Americans. Consider the 
chilling effect if the government could sidestep the probable 
cause necessary to obtain a warrant from the court and simply 
purchase the data necessary to target an American or groups of 
Americans for surveillance, while protections are in place to 
ensure that targets are not politically motivated or otherwise 
motivated in support of an agenda having nothing to do with 
public safety.
    Not long ago, I was tasked with leading the effort in the 
Senate to reauthorize the Patriot Act. We heard similar 
assurances years ago by both leading the Department of Justice 
and the FBI about FISA and those surveillance authorities are 
not turned against honest Americans. We are seeing how that 
worked out as outlined in the recent and disturbing Inspector 
General reports.
    One needs only to look no further than Russia's and China's 
unconscionable and unfettered control over the digital 
footprint of its citizenry where no expectation of privacy 
exists to appreciate the limitations the Fourth Amendment 
places upon government agencies in America. Significant 
restraints are necessary for privacy protections to catch up to 
the rapidly-advancing capabilities of technology. Americans 
deserve transparency as to the nature of law enforcement's 
access to data held by third parties containing information for 
which they had a reasonable expectation to believe was private.
    Thank you once again for the opportunity to present these 
concerns to the Members of this Committee.
    [The statement of Mr. Tolman follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chair Nadler. Thank you, Mr. Tolman.
    Ms. Goitein, you are now recognized for five minutes.

                 STATEMENT OF ELIZABETH GOITEIN

    Ms. Goitein. Chair Nadler, Ranking Member Jordan, and 
Members of the Committee, thank you for this opportunity to 
testify.
    It is often said that the law fails to keep up with 
technology. When it comes to the government's access to 
Americans' personal data, that is an understatement. Advances 
in technology have rendered old Fourth Amendment doctrines 
obsolete and have opened enormous gaps in the laws passed by 
Congress. The government is exploiting the resulting legal 
loopholes to obtain Americans' most sensitive information 
without a warrant, subpoena, or any legal process whatsoever.
    Let's start with the Fourth Amendment. Decades ago, the 
Supreme Court held that people have no Fourth Amendment rights 
in information they voluntarily share with a third party, such 
as a phone company. Whatever merit the so-called third-party 
doctrine had in the 1970s, it makes no sense in the digital 
era.
    Today, it is virtually impossible to go 24 hours without 
disclosing highly-sensitive information to a multitude of third 
parties. Our internet searches and the websites we visit are 
logged by internet service providers. Our cell phones record 
our movements throughout the day, revealing visits to 
therapists, doctors, or houses of worship. Every online 
purchase creates a lasting digital record.
    The Supreme Court has finally begun to catch up. In 2018, 
the court held in Carpenter v. The United States that the 
police need a warrant to collect a week's worth of cell phone 
location information, even though customers share that 
information with the phone company. The court reasoned that 
this information could reveal the most intimate details of 
someone's life--their associations, habits, even beliefs. 
Moreover, there is really nothing voluntary about sharing this 
information, because cell phones are not optional in modern 
society.
    Despite this ruling, investigative reporters have 
discovered that Federal agencies have secretly been paying data 
brokers to gain access to vast troves of Americans' personal 
data including cell phone location information. Agencies that 
have bought such data include the FBI, DEA, the Department of 
Defense, and as confirmed by thousands of pages of FOIA 
documents released by the ACLU yesterday, the Department of 
Homeland Security. Even the IRS, according to the Wall Street 
Journal, purchased access to a database containing location 
information for millions of American cell phone records.
    Given the Carpenter decision, how can the government obtain 
Americans' geolocation information, sometimes in massive 
quantities, without getting a single warrant? It turns out 
agency lawyers have interpreted Carpenter to apply only when 
the government compels companies to disclose data. When the 
government nearly incentivizes such disclosure by writing a big 
check, the warrant requirement just disappears. This is legal 
sophistry, but realistically, it could take years for the 
courts to settle that question.
    That leaves us, for now, with statutory protections. The 
Electronic Communications Privacy Act prohibits providers of 
communications or computing services from disclosing customer 
information to the government without a court order or 
subpoena. The law is woefully outdated. The companies it covers 
do not include many app developers or digital data brokers. It 
is not that Congress chose not to include them. Those entities 
simply didn't exist in 1986 when ECPA was passed.
    This gap creates an easy end run around the law's 
protections. Companies that are prohibited from selling their 
data to the government can sell it to a data broker instead, 
and the data broker can turn around and sell the same 
information to the government at a handsome profit. The 
information is effectively laundered through a middleman. Many 
app developers can sell geolocation data directly to the 
government, although in practice, they usually operate through 
data brokers as well.
    Easy government access to Americans' Fourth Amendment 
protected information doesn't just violate our privacy. It 
invites abuse, in particular, the targeting of people or groups 
based on race, religion, or political activity. We have seen 
this already. The Department of Defense purchased access to 
geolocation information from popular Muslim prayer and dating 
apps. Police departments used a data broker to track people who 
attended racial justice protests in Ferguson and Baltimore.
    It is time for Congress to step in. Chair Nadler and 
Representative Lofgren have introduced the Fourth Amendment Is 
Not For Sale Act, which would prohibit law enforcement and 
intelligence agencies from buying data that they would 
otherwise need a warrant or subpoena to obtain. The Brennan 
Center supports this legislation, and we urge this Committee to 
advance it quickly.
    Thank you and I look forward to your questions.
    [The statement of Ms. Goitein follows:]
    [GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
    
    Chair Nadler. I thank all the Witnesses for their 
testimony. We will now proceed under the five-minute rule with 
questions. I recognize myself for five minutes.
    Professor Lamdan, in your opening statement, you mentioned 
that personal data is combined into dossiers for government use 
and for integration with designer data companies specializing 
in data products.
    How does personal data flow to larger brokerage firms and 
how is it combined into marketable packages for law enforcement 
and government entities?
    Ms. Lamdan. So, there are a series of different pathways. 
There is no one way that these data sets get into these 
dossiers. There are major companies that collect data from over 
10,000 sources. Those companies began as public records 
collectors, so they were collecting like DMV rolls, voting 
rolls, public records that were already available and 
acceptable. Then they just kept kind of accumulating more and 
more sources to what Elizabeth just mentioned about how if the 
government wants to get data from a particular entity or a 
particular app or particular data company or source, rather 
than selling it directly to the government, if the company or 
the app or whatever the entity is sells it to one of these 
major data brokers like LexisNexis, or an Oracle, or you know, 
one of these large, data dossier companies, then those data 
dossier companies will license data streams to the government 
agency that contracts with them. So, that is how our personal 
data from say using Facebook or using the GPS on our phone 
makes its way to the government. It gets collected piece by 
piece and then placed in a large data document associated with 
your name.
    Chair Nadler. Thank you. Professor Wexler, in cases where 
prosecutors fail to collect Brady information, what prevents 
the defense counsel from simply purchasing potentially 
exculpatory evidence from data broker themselves?
    Ms. Wexler. Thank you for the question, Chair Nadler. 
Beyond financial barriers and the possibility defense counsel 
might not know exculpatory information exists like flaws in the 
data collection method, some companies refuse to sell data or 
investigative software to anyone other than law enforcement 
customers, so they just flat out say no.
    In addition, data companies don't generally sell 
information about flaws in their methods. They are likely 
instead to claim that information as a trade secret and refuse 
to even disclose it subject to a subpoena.
    Finally, some privacy statutes including the SCA, as 
interpreted by the courts today, bar private entities from 
disclosing certain information to defense counsel even if there 
is a subpoena and a court order that the information is 
necessary to the administration of justice.
    Chair Nadler. Thank you. Chair Goodlatte, there is a 
disturbing lack of transparency when it comes to how Americans' 
detailed personal information reaches law enforcement or the 
government, whether it is through data broker purchases or 
geofence warrants.
    Are law enforcement and the Federal government buying their 
way around due process protections? Do you believe that was the 
intention of the Electronic Communications Privacy Act when it 
was first passed?
    Mr. Goodlatte. I don't think the Electronic Communications 
Privacy Act when first passed contemplated this being an issue 
at all since at that time access to information in emails was 
probably the primary thing that could be obtained. As has been 
mentioned, the evolution of the internet has been so dramatic 
since then that automatically information of all sources is 
being gathered and people don't even realize how much 
information is gathered.
    I counted yesterday that I have 160 apps on my phone, 
probably half of those are tracking various pieces of 
information about me that is being stored somewhere and it is 
available to be sold to somebody. As I said in my testimony, 
when it goes to the government, I think they are indeed going 
around the intent of the Fourth Amendment when they are allowed 
to buy that when otherwise they would be required to have a 
warrant.
    Chair Nadler. Thank you. Professor Lamdan, similar to 
predictive policing, can analysis of these complicated data 
sets predict who is likely to get pregnant, when they are 
likely to get pregnant, or similarly, who is likely to seek out 
an abortion, whether it is based on age demographics, income, 
location or other factors?
    Ms. Lamdan. Absolutely, yes. Predictive analytics can be 
built to serve all sorts of needs and there is so much data, 
there is such a wealth of data available about our internet 
searches, who we have been messaging, what about our period 
trackers, all sorts of health apps that it would be very easy 
to make that kind of a predictive analytic system.
    Chair Nadler. Thank you. I thank our Witnesses for their 
excellent testimony. Before I yield back, without objection, I 
will enter into the record a statement for the record by 
Caitlin Chin, Fellow at the Strategic Technologies Program at 
the Center for Strategic and International Studies.
    [The information follows:]
   
                      CHAIR NADLER FOR THE RECORD

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chair Nadler. Mr. Biggs.
    Mr. Biggs. Thank you, Mr. Chair. Thank you for holding this 
hearing today and I appreciate the Witnesses being here. I have 
read all your testimony and listened today and read the 
guidance for both the majority and the minority.
    Mr. Chair, I would urge you to bring the Fourth Amendment 
Is Not For Sale Act up for a markup in this Committee as soon 
as possible. I think it is really imperative that we do that.
    It is nearly impossible for an individual to participate in 
American society today and not have their data collected and 
sold. So, I am really concerned about this. Probably eight 
years ago at a forum I was at, Walmart was talking about their 
capacity to obtain information and they probably have the 
biggest database on consumers in the world at that time. Now, 
with data aggregators and data brokers, our government now has 
probably easily surpassed that and also private businesses as 
well.
    Ms. Lamdan, companies--if I understand this right, with 
geo-
tracking, geolocation data, companies are able to basically 
know where individuals are based on the data collected from 
their cell phones. Is that right?
    Ms. Lamdan. Yes, that is correct.
    Mr. Biggs. So, I was called to mind in the majority 
briefing in March of 2019, a Gainesville, Florida man was 
arrested based on the fact that this geolocation data indicated 
he kept passing the home where a burglary took place. Turns out 
that was his biking route, and it was his exercise app.
    So, Ms. Goitein, with access to geolocation data the 
government can track anyone's movements throughout the city, 
not just where they are, but their movements as well. Is that 
fair to say?
    Ms. Goitein. Absolutely, and that is why it is so revealing 
because it can reveal not just where someone was at any given 
time, but their patterns of life, their movements throughout 
the day, and over the course of even longer periods of time, it 
can really reveal everything.
    Mr. Biggs. This information is accurate? At least as far as 
geolocation goes, necessarily? That phone is where the data 
indicates. Is that fair to say?
    Ms. Goitein. Well, it is accurate enough to be extremely 
violative of individuals' privacy while simultaneously leaving 
enough room for error that people are falsely flagged with this 
information, and that is also a real problem.
    Mr. Biggs. Sure. So, I mean you would obviously have some 
kind of confirming evidence you would think other than just 
geo--
    Ms. Goitein. One would hope.
    Mr. Biggs. Yes, one would hope. If I understand this right 
and I am going fast because I only have five minutes. 
Government, business, even individuals can actually buy this 
information from brokers. Is that fair, Ms. Goitein?
    Ms. Goitein. There is a wide range of clients and it 
includes all the entities you mentioned.
    Mr. Biggs. I just want to just clarify to make sure I get 
it right. This data could indicate where, when, and how often a 
person goes to a certain location or some proximity, is that 
fair to say to the panelists?
    Ms. Goitein. Yes.
    Mr. Biggs. Thank you. So, similarly, if a group acquired 
geolocation data for certain locations such as ballot drop 
boxes, they would be able to identify frequent visitors to 
those drop boxes to uncover a pattern of potentially illegal 
ballot harvesting. Unfortunately, too many officials have 
dismissed this, but if you had and as we just clarified, if you 
had additional video evidence of someone being at a location, 
confirming the geolocation data, that would be pretty 
important.
    So, one tech researcher has indicated

        is geotracking of incredible accuracy mentioned in the 
        film 2000 Mules possible and being used today?

          Absolutely. It is obtainable by anyone willing to pay the 
        right amount of cash. Yes, and it is far more detailed than you 
        know.

    That is fair to say that this is more accurate than most 
people even realize and when you have separate, verifying 
evidence that might verify that, Chair Goodlatte, that would be 
pretty impressive evidence, would it not of someone being at a 
location doing a certain thing?
    Mr. Goodlatte. If you have probable cause to obtain the 
information, then certainly I have absolutely no objection to 
law enforcement securing the type of information we--
    Mr. Biggs. I am talking about, for instance, in the 2000 
Mules movie where they have--they use geotracking location to 
identify certain movements of individuals via phones and they 
actually went through and found the video evidence indicating 
that person was sticking a bunch of ballots in a box at a 
certain time. That would be pretty compelling evidence, would 
it not?
    Mr. Goodlatte. If you have corroborating evidence, yes.
    Mr. Biggs. Thank you. Mr. Chair, I have a number of 
articles I would like to submit to the record. A New York Times 
article, ``Defense Firm Said U.S. Spies Backed Its Bid for 
Pegasus Spyware Maker.'' ``FBI Secretly Bought Israeli Spyware 
and Explored Hacking U.S. Phones.'' ``FBI Told Israel It Wanted 
Pegasus Hacking Tool for Investigations.'' Finally, another 
article by--all these are The New York Times, the last one 
being, ``The New Spy Wars,'' and I ask that they be admitted.
    Chair Nadler. Without objection.
    [The information follows:]

    
                        MR. BIGGS FOR THE RECORD

=======================================================================

[[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Mr. Biggs. Thank you and I will yield back. Thanks, Mr. 
Chair.
    Chair Nadler. The gentleman yields back. Ms. Lofgren.
    Ms. Lofgren. Thank you, Mr. Chair. I am pleased to have 
been involved with the introduction of this bill with you, Mr. 
Chair, and working with our Senate counterpart, Mr. Wyden. I am 
encouraged by the bipartisan support that has been expressed 
for this measure today. I think it is essential that we move 
this bill. It is essential, but also insufficient.
    Many people, I think in their zeal to see the immigration 
laws enforced don't realize that the Department of Homeland 
Security and specifically ICE is one of the biggest privacy 
offenders in the government. ICE has scanned the driver's 
license photos of one third of Americans. ICE has access to 
driver's license data of three quarters of adults in the United 
States. ICE tracks the movements of drivers in cities that are 
home to three and four American adults and ICE could locate 
three and four adults through their utility records. It is a 
massive privacy violation.
    I would like to submit for the record several articles; 
one, an ACLU article, ``New Records Detail DHS Purchase and Use 
of Vast Quantities of Cell Phone Location Data,'' as well as an 
article from the Intercept, ``ICE Search LexisNexis Database 
Over 1 Million Times in Just Seven Months,'' and finally, from 
the Center on Privacy and Technology, a publication called 
``American Dragnet.''
    Chair Nadler. Without objection.
    [The information follows:]

    
                       MS. LOFGREN FOR THE RECORD

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Ms. Lofgren. I would like to ask you, Mr. Goodlatte, 
whether you think, and by the way, thank you for being here. It 
is good to see you. Whether you think the Fourth Amendment Is 
Not For Sale measure as drafted would basically address the 
sort of dragnet around the Fourth Amendment issue that we have 
been discussing here. Does it get the job done?
    Mr. Goodlatte. I think it would go a long way to addressing 
some of the concerns that have been expressed and it would 
cover all kinds of different types of actions. We have had 
discussion here about Planned Parenthood clinics people 
visiting those, but you also would have similar concern about 
people visiting gun stores. So, this is a situation where the 
principle of protecting people's rights under the Fourth 
Amendment has to come first and we certainly support the right 
of State and Federal law enforcement to enforce their laws, but 
they have to do it following the rules.
    I think this would help, but there are other issues, 
geofencing location, for example, is not addressed by this 
bill. There was a recent court opinion that struck down a 
geofence warrant and that may be a good sign, but I think that 
is something also that the Committee should look into very 
closely. Then you have issues that don't really address the 
jurisdiction of this Committee, but the sale of this 
information to foreign governments, for example, is not covered 
in the legislation and there should be separate legislation 
addressing that.
    Ms. Lofgren. Well, maybe that is something we can talk 
about along with our Senate counterparts. I think this is 
important to move forward on, however, the fact that our data 
is being collected is an underlying problem and we need to do 
something about that in addition to moving this action.
    Congresswoman Eshoo and I introduced the most comprehensive 
Federal privacy legislation in Congress called the Online 
Privacy Act. It would set forth the most thorough and 
aggressive set of privacy rights among the major proposals in 
Congress. I wouldn't ask any of the Witnesses to take sides 
along the various measures that are being introduced, but one 
of the measures that I think is pending in the--our sister 
Committee Energy and Commerce, would allow data brokers to 
continue to collect Americans' data as long as the data broker 
is acting on behalf of the Federal, State, or local 
governments. So, that would include purchase of this material.
    Would you agree with that, Ms. Goitein or Professor Lamdan?
    Ms. Goitein. I think it is very important to ensure that 
the Federal government or State or local governments cannot buy 
their way around the protections in existing statutory law and 
the Fourth Amendment. I think any sort of comprehensive privacy 
legislation would need to tackle that. I will also say that 
while I very much support comprehensive data privacy 
legislation, and I think that is an effort that Congress should 
throw itself into, I also think that Congress should move ahead 
very quickly with the Fourth Amendment Is Not For Sale Act 
because there is no reason to delay that. I think what Congress 
needs to do is to close the gaps that have opened in existing 
laws that are allowing the government to evade those laws while 
simultaneously taking on the larger project of expanding the 
universe of privacy protections.
    Ms. Lofgren. My time has expired. I very much agree with 
you, and I yield back, Mr. Chair.
    Chair Nadler. The gentlelady yields back. Mr. Issa.
    Mr. Issa. Thank you, Chair Goodlatte, good to see you. I 
will concentrate some of my questions on you.
    From a constitutional standpoint, our Founding Fathers, I 
presume that while they were protecting against the British 
pounding on the door and coming in looking for venison to find 
out whether you were a poacher without a warrant, I am assuming 
that if they went down the street to the pub and asked, has 
Clancy been in here today, it was legitimate to ask that 
without a warrant.
    Would that be a fair depiction of the status quo 240 years 
ago?
    Mr. Goodlatte. Yes, it would and through most of American 
history that would be the case and probably not viewed as a 
problem. It is the change in technology that has evolved, 
particularly since ECPA was passed and we have tried to reform 
it that the massive amount of information that is gathered 
without people even knowing that it is being gathered, and the 
fact that information in the past was about some of the very 
personal things that people have would have been in their own 
possession, not in the possession of a third party stored in 
the cloud if you will. That changes that and I think 
necessitates both the court's evolution which we have seen in 
recent cases, and the need for Congress to act.
    Mr. Issa. So, now let's skip forward a quarter of a 
millennium or stay back there for a moment. That same example, 
if not law enforcement, but a friend was to knock on your door 
and you opened it and you let him in, he would be entitled to 
notice the smell of venison and could be queried on that, 
right?
    Mr. Goodlatte. It would be.
    Mr. Issa. If he went down the street and said has Clancy 
been in and the bartender said yes, he was in, and he staggered 
out a little while ago, that would be okay?
    Mr. Goodlatte. It would.
    Mr. Issa. So, really this is not a new problem, but in 
fact, a problem in the making not just for law enforcement 
which I understand that we are looking at the government here 
today, but my question to you is the data that we are in many 
cases talking about in the hands of Google, through android, of 
Apple, and a myriad of other original source gatherers is being 
provided to the guy that isn't law enforcement, but simply 
somebody who will buy and whether that is a data broker or the 
Russian Government, the Chinese Government, or a myriad of 
other people, personal data that is the equivalent of what was 
safely held within your house is being made available broadly 
to anyone who will buy. Is that a fair statement?
    Mr. Goodlatte. It is.
    Mr. Issa. So, as we, as a Committee, look at this and I 
realize there are other Committees with some jurisdiction, not 
the least of which would be Energy and Commerce, our challenge 
is to restore the original intent, the original intent being 
that which is held to be yours and reasonably expected to be 
for privacy must be returned to privacy not just for law 
enforcement, but for all those who would seek to gather it and 
then purchase it.
    Mr. Goodlatte. Well, I would recommend that this Committee 
and other Committees look at all those examples, but this 
Committee has primary jurisdiction over the intent of the 
Fourth Amendment which is to prohibit government and by that I 
mean U.S. Federal, State, and local government from getting 
access to your data without probable cause.
    Mr. Issa. Now, I have a question for each of our Witnesses. 
Almost all you, I am sure are familiar with the HIPAA laws. 
HIPAA defines this privacy of personal, medical information 
specifically and limits both law enforcement and everyone else 
from sharing that data without informing and without your 
consent.
    Do each of you agree that what we really need is the 
equivalent of HIPAA for all information that would be on that 
side of maybe publicly disclosed, but not intended to be 
disclosed, including, but not limited to if the doctor says how 
are you feeling today in the waiting room, that does not 
suddenly make the answer well, I have got a cold, be something 
for dissemination. Quick answers if I could, because to me this 
is the essence of our question.
    Ms. Goitein. HIPAA has the advantage of restricting 
disclosure to nongovernment entities as well. HIPAA has some of 
the same drawbacks as some of the other privacy laws in that it 
protects only personally identifiable information, and 
healthcare providers are selling their data in aggregate, which 
can then be de-anonymized
    HIPAA also only covers certain healthcare institutions and 
providers. It does not cover, for example, app developers that 
would acquire some of the same data. So, there are aspects in 
which HIPAA works better and especially the one you mention, 
but there are also some design flaws as well.
    Mr. Issa. I guess, all else, if I don't hear they agree. 
Mr. Chair, we can do better than HIPAA in this Committee. With 
that, I yield back.
    Chair Nadler. The gentleman yields back. Mr. Cicilline?
    Mr. Cicilline. Thank you, Mr. Chair, for convening this 
group of experts for today's hearing to discuss how the 
government uses personal data and how it collects it. Countless 
corporations collect, store, package, and sell our personal 
data. This has become an unavoidable feature of the 21st 
century, and I think few Americans understand what happens to 
their data after it's been collected and even fewer grasp the 
ways law enforcement can access and use their data.
    We have a right to our data and a right to know how it's 
used and accessed, especially by large corporations and law 
enforcement. With that, I have a couple of questions. I first 
want to say welcome to Chair Goodlatte. It's great to see you.
    So, my first question is, Professor Lamdan, there's been--I 
know some companies allow users to opt out of data collection 
or review privacy policies. Apple is always very proud of 
allowing iPhone users to change privacy settings for activity 
conducted on its platform. Do companies need to provide notice 
to users that their personal data is being collected by the 
companies that acquire it and are users typically aware their 
information is being retained and then sold.
    When they do provide notice, is it usually in a way that an 
average user understand the consequences? I guess what I'm 
really getting to is, on the whole, do you believe allowing 
consumers to choose what data is collected is an effective 
solution to protect consumer privacy against government access 
to personal data sets? Or does more need to be done as a 
practical matter to protect consumers?
    Ms. Lamdan. That's a really good question. The answers is 
unfortunately, no, that's not sufficient. We all know, we all 
click, I agree, multiple times a day. Those agreements are all 
just saying that basically whatever data we hand over, it 
becomes theirs.
    They can sell it to whoever they want. We will not know 
what happens with that data afterwards. So, yeah, obviously, 
there's a real shortcoming in our current kind of end user 
license agreement system where you just agree to have your data 
taken and resold in perpetuity.
    Mr. Cicilline. Is it fair to conclude that most Americans 
have no idea that they are consenting to the sale of that data 
to third parties?
    Ms. Lamdan. Yeah, absolutely, absolutely. Also, in a lot of 
situations nowadays, companies try to make users feel more 
comfortable by saying, hey, we're going to anonymize your data. 
We're going to strip your name out of it. Nobody is going to 
know it's you.
    Google does that a lot. Your data can be re-identified with 
just several other data pieces about yourself. So, yeah, 
anonymization is also an illusion.
    Mr. Cicilline. A Norwegian study found that Perfect365, 
MyDays, and OkCupid shared user data with a large number of 
third parties, including IP addresses, GPS locations, age, and 
gender. Furthermore, a lot of this information is collected by 
third party trackers deployed by apps and the websites. So, my 
question is, Ms. Goitein, how does the sale of such information 
to enable law enforcement or the government the ability target 
Muslim Americans as an example, LGBTQ+ Americans, other 
religious groups, or other historically underserved 
communities? Have you see examples of that kind of use?
    Ms. Goitein. The short answer is yes, we have seen 
examples. I will say that the practice of buying data and the 
ways in which government agencies use that data is extremely 
non-transparent. There has been just a remarkable lack of 
transparency or even acknowledgment by government agencies that 
they are doing this, let alone any details about how the data 
is being used.
    We have certainly, through the efforts of investigative 
reporters, found out, for example, as I said earlier, that the 
Department of Defense was acquiring geolocation information 
from a popular Muslim prayer app that's used by 98 million 
people around the world, including people in the United States 
as well as a Muslim dating app. Police departments, we know, 
have contracted with data brokers who advertise their ability 
to track racial justice protesters, Black Lives Matter events, 
and the like.
    So, we have absolutely seen that. It shouldn't be 
surprising, because when law enforcement has to actually get a 
warrant, has to show probable cause of criminal activity, that 
makes it much harder for law enforcement officers to fall back 
on conscious or subconscious prejudices. When there are no such 
restrictions, you are going to see more targeting of 
marginalized communities. I'm sorry to say that is certainly 
what we are seeing, and we'll see more of.
    Mr. Cicilline. Thank you. Chair Goodlatte, if the 
government can target one community, they can target any. How 
concerned should we be that the government or law enforcement 
is able to purchase such information in criminal or 
counterintelligence investigations with little concern for 
Fourth Amendment protections.
    Mr. Goodlatte. Well, I think they should be able to acquire 
that data as long as they're following the rules. They have 
some basis for showing probable cause that they should have 
access to the information. Right now, we have a situation where 
we've shown a number of examples in our testimony here today of 
government agencies.
    By the way, we've mainly talked about the Federal 
government. State and local governments are very heavily 
involved in this as well. They're simply going around the 
requirement of showing a warrant by gathering massive amounts 
of data and then picking at that data. When they co into court, 
they reverse engineer the evidence to show, yes, this person 
did this, this, and this, and don't show that they originally 
targeted their suspect by looking at thousands of law-abiding 
citizens to find the one.
    That is exactly what the Fourth Amendment was designed to 
address and why the Congress needs to Act here. The courts are 
moving in this direction as well with the Carpenter decision, 
with the Riley decision. We shouldn't wait for the years it 
will take for the courts to catch up with this technology.
    Mr. Cicilline. Thank you. With that, I yield back. Yield to 
you, Mr. Chair.
    Chair Nadler. Thank you. Very quick question to Ms. 
Goitein. You mentioned--everybody has mentioned that the 
government tracks Muslims. Do they track other religious groups 
like Jews or Baptists?
    Ms. Goitein. They could track anyone they want. I mean, 
these companies--
    Chair Nadler. Do we have any knowledge whether they do?
    Ms. Goitein. We don't at this point. Again, absence of 
evidence is not evidence of absence--
    Chair Nadler. Of course. Of course.
    Ms. Goitein. --in a situation where there is absolutely no 
transparency.
    Chair Nadler. Thank you. Mr. Jordan?
    Mr. Jordan. Thank you, Mr. Chair. On that feed, Mr. Tolman, 
has geotracking been used for political purposes? I mean, I 
think about 12 years ago, we know the IRS specifically targeted 
conservatives. We know that the FBI targeted a presidential--
the conservative presidential campaign.
    As Mr. Goodlatte pointed out in his testimony; the FBI has 
conducted 3.4 million warrantless searches. Homeland Security 
tried to form a disinformation governance board just a few 
months ago. Of course, the DOJ as we speak is currently 
targeting moms and dads that show up at school board meetings. 
So, I want to know if this kind of data geolocation has been 
used in a political manner as well.
    Mr. Tolman. There's no question that it has, Mr. Jordan. I 
think you highlight one important aspect of this and that's who 
is in power focuses on who their adversaries are. We see that 
DOJ does that and they have done that.
    It's especially concerning when you view its use in 
connection with the secrecy of FISA and the other ability that 
they have to justify what decisions they make. I'm aware of an 
individual who received a knock on the door because he was in 
Washington, DC, on January 6th. He did not go in the Capitol, 
was not there for the rally. He was contacted by an FBI agent 
because he was in Washington, DC, on that day.
    Mr. Jordan. Didn't even attend the rally, but just happened 
to be in the Capitol city--his Capitol city that his tax 
dollars pay for.
    Mr. Tolman. That's correct.
    Mr. Jordan. Yet he had a knock on the door and had to 
answer a few questions from the FBI?
    Mr. Tolman. That's correct. There's no other way that they 
could've known that information, but for the digital footprint 
that he left with his phone.
    Mr. Jordan. Would you agree, Mr. Tolman, that Mr. Nadler's 
bill is a good step in the right direction to begin to deal 
with this problem?
    Mr. Tolman. It absolutely is. I think it's encouraging 
that's bipartisan on this particular issue, because there's 
nothing more important right now than reigning in government 
potential abuse.
    Mr. Jordan. Let me just go down the line. Maybe I'll start 
with our Witnesses here in person. Do you have similar--because 
I also have concerns about facial recognition technology and 
how that can be used. Do you have similar concerns, Ms. 
Goitein?
    Ms. Goitein. About facial recognition technology?
    Mr. Jordan. Yeah.
    Ms. Goitein. Absolutely. I think that is one of the 
scariest technologies out there because it could wipe out any 
form of anonymity that we have in our society. We've seen the 
way it's been abused in countries like China, which uses 
technology to track and essentially persecute the Uyghurs, a 
Muslim minority in that country. We also know that it doesn't 
work very for people of color and seniors and women.
    Mr. Jordan. Right. Huge percentage where they're wrong when 
we're talking about African Americans and other minority 
groups.
    Ms. Goitein. People have been falsely arrested in front of 
their children.
    Mr. Jordan. Yeah. We were working in a bipartisan way with 
Chair Maloney on trying to get some legislation last Congress. 
Unfortunately, we didn't get it done. I hope it did. Mr. 
Goodlatte, I assume you share the same concerns.
    Mr. Goodlatte. Absolutely. Again, going back to the 
question that Mr. Issa had, the difference between the broader 
scope here and the narrower scope of this legislation is those 
entities, corporations, governments outside the United States, 
we should address those, absolutely. They cannot pound on your 
door, knock I down, arrest you, prosecute you, imprison you, 
fine you, tax you, and regulate you. Only government can do 
that, and that's why this legislation is unique and ought to be 
taken up.
    Mr. Jordan. Yeah, it's called the Fourth Amendment, 
exactly. Ms. Lamdan?
    Ms. Lamdan. Yeah, I agree with everything everybody said. I 
would add that's one of the reasons why it's so important to 
also make sure that the large data brokers are included. Like, 
not just the facial recognition and geospatial geolocation data 
brokers because one of my fears is that if we focus on facial 
recognition, then the facial recognition companies will just 
sell their data to one of the major data brokers and it's still 
found its way into the government. So, yeah, I think that--
    Mr. Jordan. Yeah. No, we got to stay ahead. I remember a 
few years ago I was concerned about the stingray technology. 
The IRS had bought this technology which allowed this device to 
function like a cell tower.
    Now, that's outdated and they're way past that. So, we 
don't know what's coming next. So, yeah, we got to make sure we 
design it right. This is certainly important legislation that 
needs to happen. With that, Mr. Chair, I would yield back.
    Chair Nadler. The gentleman yields back. Mr. Johnson of 
Georgia?
    Mr. Johnson of Georgia. Thank you, Mr. Chair. I've listened 
carefully to the testimony. I would just want to point out that 
as we have entered the information age with so much information 
being available to all for a fee. Why not allow the law 
enforcement agencies to purchase specific data for their 
purposes?
    I'm speaking along the lines of Representative Issa who 
talked about law enforcement just doing not surveillance, but 
just doing old fashioned shoe leather investigatory work, going 
around asking questions, looking at cameras in a public camera 
that's mounted on a pole. Those things can happen these days. 
What I'm interested in is understanding among law enforcement 
agencies, both local, State, and Federal, which law enforcement 
agencies are the most prolific purchasers of data? Can any of 
the Witnesses inform us of that?
    Ms. Lamdan. Well, it's hard to tell because there's a real 
lack of transparency as Elizabeth has been saying around what 
these contracts entail and what entities these agencies are 
contracting with. I do know--it's well known that ICE is a 
major--they're developing big infrastructure that focus on 
predictive policing analytics and data brokering analytics. I 
think if people knew how many State and local law enforcement 
agencies who are also using these technologies, they would be 
shocked.
    Mr. Johnson of Georgia. That's what I'd like to know. Who 
are the agencies? Are they State, local, or Federal? Can you 
identify those agencies?
    Ms. Lamdan. So, I know that LexisNexis alone contracts with 
over 1,300 local and State law enforcement agencies and I'm 
not--a lot of agencies--
    Mr. Johnson of Georgia. Well, what kind of data?
    Ms. Lamdan. For all--
    Mr. Johnson of Georgia. What kind of data?
    Ms. Lamdan. All the data. They sell data dossiers 
containing--
    Mr. Johnson of Georgia. But, generally speaking, what kind 
of data is mostly sought by law enforcement agencies?
    Ms. Lamdan. So, they purchase data dossiers that contain 
over 10,000 types of data from 10,000 different sources. It's 
billions and billions of data points that are everything from 
your job history, geolocation data, work history, home address, 
all your licenses, and voting records.
    Just everything, and more and more they're also buying 
predictive policing technologies. So, those are algorithms that 
kind of sift through that data and predict--they draw up heat 
lists about who's most likely to commit a crime, where those 
people are, who their associates are.
    It's really, really invasive and I don't think there's a 
kind of data that isn't included.
    Mr. Johnson of Georgia. Let me ask you this question. What 
entities or individuals are the prime targets of this data 
collection by the agencies that are most prolific in collecting 
that data?
    Ms. Lamdan. I mean--
    Mr. Johnson of Georgia. We don't know who that is, but tell 
us what kind of data are they seeking and against whom.
    Ms. Lamdan. It tends to disparately impact people who 
already have a lot of data in the criminal record system, which 
is usually people of color, especially Black men, and then--
    Mr. Johnson of Georgia. So, we're, basically, talking about 
local law enforcement agencies developing information on 
criminal suspects who are thought to, perhaps, have violated 
State laws?
    Ms. Lamdan. Yeah. Go ahead.
    Ms. Goitein. If I could just jump in on that.
    When you ask who is being targeted, I think that one of the 
main problems is that no one is being targeted. It's a dragnet.
    What we are seeing is agencies purchasing entire databases 
of information so that they can sift through that and decide--
maybe they have someone of interest or maybe they're looking to 
see suspicious patterns so they can decide who they want to 
learn more about. This is not a situation where they have 
probable cause that someone has committed a crime and so they 
are looking for data that would support that.
    Mr. Johnson of Georgia. Just proceeding on a reasonable 
suspicion, a reasonable articulable suspicion, shouldn't law 
enforcement--shouldn't law enforcement be able to deal with 
data on that basis?
    Ms. Goitein. It depends on how sensitive the data is. If 
the data is, for example, not geolocation, if it's some other 
form of third-party records, then the standard can be 
relevance, and then they have to show relevance to a court and 
get what's called a D order. So, it's both the standard they 
have to meet that is important, but also the process that they 
have to follow.
    Let me just--when you say ``reasonable suspicion,'' the 
ACLU's documents show that during a three-day period in 2018 
for just one piece of the southwestern United States, DHS 
collected 113,654 location points. DHS did not have reasonable 
suspicion for each one of those--for any of them. This was 
dragnet collection so that DHS could then sift through that 
data and decide what it wanted to do with it.
    Mr. Johnson of Georgia. Thank you. I yield back.
    Chair Nadler. The gentleman yields back.
    Mr. Gaetz?
    Mr. Gaetz. I've heard enough, Mr. Chair.
    I believe that we could have bipartisan agreement on 
legislation out of this Committee that might be our hallmark 
achievement of this Congress.
    I want to echo the point Mr. Issa made. It is not just the 
government that engages in these really terrifying data 
marketplaces. It's the Chinese Communist Party, Russia, big 
corporations.
    Chair Goodlatte, does the Walt Disney Corporation engage in 
this terrifying data marketplace?
    Mr. Goodlatte. I don't know the answer to that.
    Mr. Gaetz. You're their lobbyist, right?
    Mr. Goodlatte. I do work for them, but I don't know the 
answer to your question.
    Mr. Gaetz. So, you used to Chair this Committee. You come 
here and you tell us about all the harm in this data 
enterprise, but you don't know that--you're the Republican that 
the Disney Corporation hired because they have problems with 
the Republicans, and you didn't ever talk to them about this?
    Mr. Goodlatte. I came here today to testify regarding the 
importance of this legislation, which, as you noted, is 
bipartisan and it relates to the importance of the government--
    Mr. Gaetz. So, the LA Times says Disney is running the 
happiest surveillance operation on Earth. Have you seen that 
article from the LA Times?
    Mr. Goodlatte. I have not seen it.
    Mr. Gaetz. I think it would--okay. I think it might have 
been when you were Chair that it came out.
    Disney has actually been sued. They've been sued because 
Disney installs software on applications used by children and 
then they not only buy data from data brokers, but Disney also 
then turns around and sells the data that they collect off of 
children.
    Are you familiar with that litigation?
    Mr. Goodlatte. I am not.
    Mr. Gaetz. There's a Forbes article that came out while you 
were Chair of this Committee and it talks about the robots that 
Disney sends around its park to collect data on the people at 
the park to utilize. Quote, ``Disney is even dabbling in making 
robotic versions of Mickey and Minnie and all of its characters 
that would move around with the guests and interact with 
them.''
    So, as you sit here and talk to us about the harm of this 
data enterprise, are you concerned that the people who pay you 
also engage in that very same work?
    Mr. Goodlatte. I think that it would be appropriate for the 
Congress to look at data collection practices beyond the scope 
of what this Committee is looking at here today.
    I also think it's very important to understand that what 
government can do with that data is very different than what 
individual enterprises can do and so that's why I'm here to 
talk about the Fourth Amendment--
    Mr. Gaetz. Sometimes, right? I saw in your testimony you 
say, well, only the government can tax you and only the 
government can regulate you.
    What I'm worried about is that private entities can try to 
program you. They could try to get you to think a certain way 
and they can use this data in a very harmful way.
    Like, particularly, with the Walt Disney Corporation that 
is in business with the Chinese Communist Party, that thanks 
the Chinese Communist Party for all the accommodations they got 
in the filming of ``Mulan,'' does it concern you that the Walt 
Disney Corporation is selling the information of children?
    Mr. Goodlatte. I don't know that's the fact.
    Mr. Gaetz. Are you being purposefully ignorant to the fact 
that Walt Disney engages in the very activities that you're 
here testifying against?
    Mr. Goodlatte. Well, I do not know the facts that you've 
stated. So, I can't comment.
    Mr. Gaetz. Well, right. Are you purposely not learning them 
so that you can simultaneously take money from Disney to try to 
make them look less evil to Republicans and then advocate on 
behalf of other organizations before the Congress that critique 
the very work that Disney is doing?
    Mr. Goodlatte. I'm here to advocate on behalf of people who 
are concerned about abuses of the Fourth Amendment.
    Mr. Gaetz. Chair Goodlatte, do you remember a conversation 
you and I had when you led this Committee at the Capitol Hill 
Club where you said the best way to be successful in the 
Judiciary Committee is to find interest groups that are opposed 
to one another and to tell both of them that you'll support 
their position so they'll both make donations to your campaign?
    Mr. Goodlatte. I definitely do not remember the 
conversation.
    Mr. Gaetz. You're under oath, Chair.
    Mr. Goodlatte. I do not. No.
    Mr. Gaetz. Well, I hope that's not the case in lobbying as 
well that you go and that as a legislator you try to find 
interest groups to play off of one another.
    Then as a lobbyist you go and take money from the Walt 
Disney Corporation that is quite literally buying and selling 
data in precisely the way that you find objectionable today.
    I think it's a reason why a lot of people are concerned 
about folks who go from being in Congress to being members of 
the lobby corps and then using the relationships that they've 
developed to sell influence, and that selling influence can be 
just as damaging sometimes as the buying and selling of data.
    The Walt Disney Corporation that goes against so many of 
the values of their own patrons, certainly, isn't worthy of 
that and since there's no Federal legislation on this issue, it 
doesn't seem like it's preempted.
    So, maybe if we had a really smart governor like Governor 
DeSantis in Florida, they could actually have State-based laws 
that would attack these issues.
    Wouldn't that be quite a thing?
    Mr. Chair, I now seek unanimous consent to enter a few 
articles in the record.
    All right. I have ``Disney takes over Hulu, a company with 
serious data collection issues'' from komando.com.
    I have from the LA Times ``Disneyland is tracking guests 
and generating big profits doing it.''
    I have from wdinfo.com ``Disney facing lawsuit over 
collecting and selling children's personal information.''
    I have ``Disney Uses Big Data, IoT, And Machine Learning To 
Boost Customer Experience,'' and that is from Forbes.
    Chair Nadler. Without objection.
    [The information follows:]

                        MR. GAETZ FOR THE RECORD

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Chair Nadler. The time of the gentleman has expired.
    Ms. Garcia?
    Ms. Garcia. Thank you, Mr. Chair and thank you for 
convening this very important hearing. I apologize. I was tied 
up on the floor in a few matters.
    I just want to say that it's just refreshing to see that we 
have a bipartisan hearing this morning.
    We simply cannot allow our government to descend into a 
surveillance State. Enough Big Brother government snooping 
around our lives. The Fourth Amendment's protection against 
unreasonable search and seizure is not just a flowery phrase we 
learned in law school and our Constitution.
    The government cannot bypass constitutional limitations 
through private contracting. Allowing law enforcement and 
intelligence agencies to outsource their public function 
through data brokers and obtain Americans' personal information 
offends the rule of law.
    This unchecked practice is a threat to our democracy. It 
undermines our civil rights and our civil liberties. As history 
has made clear again and again, unchecked government policing 
weighs heavier on the already oppressed or marginalized--the 
poor, communities of color, LGBTQ+ individualism and 
immigrants.
    Mr. Chair, I ask unanimous consent to enter for the record 
several articles, one by Politico entitled ``Homeland Security 
records show `shocking' use of phone data, ACLU says,'' 
secondly, Washington Post entitled, ``ICE investigators used a 
private utility database covering millions to pursue 
immigration violations.''Also, a Wall Street article, ``Federal 
Agencies Use Cellphone Location Data for Immigration 
Enforcement.''
    According to these reports, the ICE--
    Chair Nadler. Without objection.
    [The information follows:]

                       MS. GARCIA FOR THE RECORD

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

    Ms. Garcia. Thank you, Mr. Chair.
    According to these reports, the ICE accessed databases 
containing phone, water, electricity, and other utility 
records. This data included 400 million names, addresses, and 
service records for more than 80 utility companies, including 
water, gas, electricity, phone, and internet--basic 
necessities.
    Professor Lamdan or Ms. Goitein, both of you, can you 
describe the quantity of information available to ICE agents at 
any given time or any other law enforcement that has similar 
contracts?
    Ms. Lamdan. Yeah. I compare the way these agencies get data 
to a fire hose. They get data from thousands and thousands of 
sources, updated in real time. They have billions of data 
points, and they have these dossiers that are linked to each of 
our names. They have over 30 million dossiers that are just 
constantly getting updated with new data.
    Then on top of that, they have data analytics that sift and 
sort the data. So, even if I don't know somebody's full name or 
I only know part of their phone number or Social Security 
number, I can enter that tiny little bit of data about somebody 
that I know and pull up their entire dossier, and then I can 
sift and sort people based on where they are.
    Ms. Garcia. Do you know any specific as to utility records 
that are used against immigrants in terms of ICE?
    Ms. Lamdan. Yeah. Yes. Specifically, so they often say that 
when ICE tracks somebody and ICE locates somebody the first 
thing people ask is, like, how did they know who I was? How did 
they know where I live? That is linked to the NCTUE, that 
utilities data, because it connects your home and license 
plate.
    It connects critical pieces of data about you together. 
Then, that can be linked to all that other data--that fire hose 
of data that is coming in.
    So, it just gives ICE and other agencies just a really 
robust data set to kind of have a lot of different ways to see 
where you are at any given time, what you're doing.
    People have been found based on Facebook posts that 
they've--there was a woman who was selling pinatas and ICE 
agents were able to track that Facebook post through these data 
dossiers that include that utilities data to her, and they 
offered to buy one of her pinatas as pretext to then arrest 
her.
    Ms. Garcia. Well, I like pinatas, for the record.
    Professor, can you shed any more light on this particularly 
regarding ICE?
    I'm sorry. I thought there was a Professor Lamdan in the 
group.
    Ms. Goitein. There are two professors.
    Ms. Lamdan. Yeah, there's two. Sorry. There are two 
professors.
    Ms. Garcia. Oh, I'm sorry. So, where's the other professor? 
There she is.
    Ms. Lamdan. Yeah, Professor Wexler.
    Ms. Garcia. She's on the screen. I'm sorry. Since I got 
here late, I didn't get to see everybody.
    Ms. Wexler. The issue that I would like to highlight for 
the Committee is that regardless of what data is being targeted 
or who's being targeted, allowing the accused to challenge the 
quality of the data is essential to prevent wrongful arrests 
and accusations and convictions.
    Thank you.
    Ms. Garcia. Thank you.
    Mr. Chair, I yield back. I see I only have one second. 
Thank you.
    Chair Nadler. The gentlelady yields back.
    Mr. Bishop?
    Mr. Bishop. Thank you, Mr. Chair.
    Mr. Gaetz's questions had sort of focused my mind a bit. I 
was somewhat taken, Mr. Goodlatte, with the suggestion that 
past this bill our jurisdiction is focused on the Department of 
Justice and so forth, how the Fourth Amendment is interpreted 
and so we ought to focus on that.
    Isn't it possible that proceeding in that way would just 
empower private entities more? Can't private entities, when 
they gather these massive stores of data, can't they be the 
source of abuse?
    Mr. Goodlatte. Oh, certainly, they can, and I believe that 
legislation should be pursued in that regard as well. The fact 
of the matter is this Committee has jurisdiction over this 
narrower focus regarding protecting the Fourth Amendment.
    The broader issue also should be addressed, but it 
encompasses more Committees than just this one.
    Mr. Bishop. Ms. Goitein, is that how you say your--
    Ms. Goitein. Yes. Goitein.
    Mr. Bishop. Goitein. Thank you.
    Let me sort of pursue that also with you. So, it concerns 
me that by proceeding to restrict government in the way the 
Fourth Amendment Not For Sale Act would do that we would reduce 
political pressure to deal with the rest and we might, in fact, 
empower private entities to engage in abuse. What do you have 
to say to that?
    Ms. Goitein. I wouldn't say that at all. I really don't 
think this is a zero-sum game here. I think we can build 
privacy.
    Start with the low-hanging fruit, which is these loopholes 
that have opened in existing laws, because it's easy enough to 
get those plugged, and the same time, you can be working on 
expanding the universe of privacy protections. I don't think it 
would remotely take away the political pressure because a lot 
of the companies that we're talking about, really, have become 
household words and villains, frankly. I think people are upset 
about the ways in which advertisers and other corporate 
entities are using their personal data without any meaningful 
consent on the part of those people, as Professor Lamdan was 
talking about.
    I see no reason to fear that people will simply forget 
about privacy issues if the government is required to adhere to 
the legal process that the Fourth Amendment and Congress have 
put in place.
    Mr. Bishop. How about you, Mr. Tolman?
    Mr. Tolman. Well, I would say that the first order of 
business is to make sure that there is transparency and 
accountability with government. If you can't do that, then when 
you seek to rein in the private sector you are incapable of 
utilizing government to do so.
    Mr. Bishop. Ms. Wexler?
    Ms. Wexler. Well-meaning privacy statutes that try to 
regulate commercial exploitation of information have a 
disturbing trend.
    They often include exceptions for law enforcement access 
but no exceptions for criminal defense counsel access, meaning 
an unintended side consequence of those privacy statutes is 
that they increase disparities between investigations of guilt 
and investigations of innocence.
    It would be wonderful for the Committee if it's considering 
those regulations to include parallel symmetrical exceptions or 
no exceptions at all.
    Thank you.
    Mr. Bishop. So, Professor Wexler, just maybe to pursue 
that, I sort of followed it. I never did any criminal law. Is 
it conceivable that you would be--by imposing the restrictions 
you describe on government that you would be unilaterally 
empowering defense counsel or the defense against government 
and creating a tilted playing field for criminal prosecution?
    Ms. Wexler. There is a possibility that privacy statutes 
could selectively prohibit law enforcement and not prohibit 
criminal defense access.
    The majority of privacy statutes do the opposite. They 
selectively empower law enforcement investigations while 
entirely or, largely, blocking criminal defense access.
    So, an example is the Stored Communications Act. Section 
2702 gives a broad bar on service providers disclosing 
voluntarily the contents of stored communications.
    Section 2703 has an exception for law enforcement. There's 
no exception for criminal defense investigations.
    Mr. Bishop. Professor, that's how--I appreciate it. I 
didn't want to cut you off. I've got one more question I want 
to squeeze in.
    Does anybody here have any information on the FBI--the 
current information on the FBI's purchase and use of the 
Pegasus software that allows access to a cell phone without any 
indication on the cell phone to collect information?
    [No response.]
    Mr. Bishop. Nobody is up to speed on that one. That one's 
really spooky to me.
    All right. Then in that case, Professor Wexler, I've sort 
of cut you off. Did you finish your point?
    Ms. Wexler. Well, one other thing I would add is that it is 
also entirely within the power of Congress to enact privacy 
statutes that create evidentiary privileges, meaning they would 
entirely block both law enforcement and criminal defense access 
and civil litigants.
    Thank you.
    Mr. Bishop. Thank you, and I yield back.
    Chair Nadler. The gentleman yields back.
    Ms. Dean?
    Ms. Dean. Thank you, Mr. Chair, and I'll be quick. I have 
to admit, this set of testimony is extremely chilling on this 
hot day. So, thank you for bringing all this to light. Thank 
you, Mr. Chair, of course.
    Maybe I'll start with you, Professor Wexler.
    Pre-Dobbs and now post-Dobbs, can you give me--describe the 
risk and the reality of State or local or Federal law 
enforcement or other agencies purchasing data to identify 
people seeking healthcare choices, seeking abortion care?
    Is there any tracking, for example, of women who are 
tracking their own menstruation? I remember a hearing in here 
under the previous administration where we had administrators 
at ICE detention centers tracking menstruation of those young 
women who were detained. Scary stuff.
    What's the reality pre-Dobbs and post-Dobbs?
    Ms. Wexler. Thank you for the question.
    This data tracking means that people who are pregnant and 
seeking access to medical care are extraordinarily vulnerable 
to having their data sold to vigilantes as well as provided 
voluntarily to law enforcement or obtained by law enforcement 
across State lines, and one thing this Committee could spend 
time considering that would be time well spent is enacting an 
evidentiary privilege via statute.
    So, Pierce County v. Guillen is a Supreme Court opinion 
authored by Justice Thomas. It affirms that Federal statute 23 
U.S.C. 407 creates a facially absolute evidentiary privilege in 
both Federal and State court through statutory text that says, 
quote, ``information protected under that statute,'' quote, 
``shall not be subject to discovery or admitted into evidence 
in a Federal or State court proceeding, or considered for other 
purposes in any action.''
    So, the data tracking that we're talking about makes 
pregnant people who are seeking medical care extremely 
vulnerable post-Dobbs and this Committee could do more than 
enact privacy statutes that limit or regulate access.
    Indeed, it has the power to enact evidentiary privileges 
that would block Federal or State law enforcement from 
accessing abortion-relevant data at all. That would be time 
well spent.
    Ms. Dean. Thank you very much.
    All this conversation reminds me of the Watergate era 
expression ``follow the money.''
    So, Professor Lamdan, can you describe the kinds of money 
that government is spending? Who's profiting from this? What 
authorizes the government to spend millions of dollars to 
collect our data? I'd like to find out about the money.
    Ms. Lamdan. That's a really good question.
    Yeah, millions and millions of dollars. ICE's contract with 
one data broker alone, LexisNexis, has for $16.8 million and 
Thomson Reuters, another data company, has over $30 million in 
contracts with the same agency.
    I'm not sure--they also have contracts with Palantir and 
with other data analytics companies. So, cumulatively, across 
agencies State, local, and Federal hundreds of millions of 
dollars are being spent on these contracts and the 
beneficiaries are these data broker companies, right. They're 
the data companies themselves--these data technology and data 
collecting companies.
    Ms. Dean. Can you speak to them? Who are data brokers? Who 
are these--
    Ms. Lamdan. There's this niche industry. So, there are 
commercial data brokers that sell data that track--to make ads 
to track us and to advertise to us. These government data 
brokers are much more insidious because, as Chair Goodlatte 
said, ``they actually can break down our doors and violate our 
rights, and the main companies that are involved in that work 
are LexisNexis, Oracle, Thomson Reuters, Palantir.''
    On State and local levels there's another kind of layer of 
data companies. There's COPLINK. There's PredPol. There are all 
these data collection companies and then analytics companies 
that kind of crunch that data that are received and purchased.
    Ms. Dean. Chair Goodlatte, in the last half a minute, 
anything you want to add as to following the money?
    Mr. Goodlatte. No, I think Ms. Lamdan has covered it very 
well.
    Ms. Dean. Thank you very much. I yield back.
    Chair Nadler. The gentlelady yields back.
    Votes have been called on the House floor. The Committee 
will now stand in recess until immediately after the conclusion 
of these votes.
    The Committee is now in recess.
    [Recess.]
    Ms. Ross. [Presiding.] The House Judiciary Committee will 
come to order. Mr. Buck is recognized.
    Mr. Buck. I thank the Chair.
    Chair Goodlatte, I have a few questions for you. The first 
one is: Do you like action movies?
    Mr. Goodlatte. I do.
    Mr. Buck. I do also. I don't have a great memory on all the 
movies, but I remember Bourne Ultimatum and how the U.S. 
government used sort of a geolocation tracker to track people 
without a warrant. Constitutional? Unconstitutional?
    Mr. Goodlatte. I don't know if we have enough facts, but 
probably at least partly unconstitutional.
    Mr. Buck. Okay. There are other movies that have the 
government looking at bank information without a warrant. 
Constitutional? Unconstitutional?
    Mr. Goodlatte. I would say unconstitutional.
    Mr. Buck. They actually have some movies where they are 
doing surveillance but they have these super cool things that 
probably exist now; I have just never seen them, that you can 
look inside someone's home and see what they are doing inside 
the house, not just through an open window, but through a wall. 
Maybe they go down the chimney from a satellite or some crazy 
idea. Constitutional? Unconstitutional?
    Mr. Goodlatte. I would have to defer to Eliza or somebody 
else on that one because I've seen some court decisions on that 
and I'm just not sure how the courts came down on it, but I--
    Mr. Buck. Okay. Let me ask you this then--
    Mr. Goodlatte. I would be a little suspect of it.
    Mr. Buck. How about creepy?
    Mr. Goodlatte. What's that?
    Mr. Buck. How about creepy? Can we use creepy instead of 
constitutional? It is kind of creepy to have people looking 
through walls at what you are doing inside your house.
    Mr. Goodlatte. Creepy for sure.
    Mr. Buck. Okay. So, I guess what I am trying to get to is 
government can't do those things directly and it shouldn't be 
able to do those things indirectly. Chair Nadler has a bill to 
that effect, and I want to support that legislation. What I am 
concerned about is should corporations be able to do that, and 
particularly a corporation like Google.
    Should Google--when you sign up for a Gmail account, you 
get this contract and on page 23 there are two sentences that 
say you waive everything. Should the government, or should 
Congress have some requirement that each time you are making a 
waiver you have to enter into that agreement? You have a 
choice: You can waive everything, you can waive it each time 
you use it, or you can never waive it. Should there be 
something out there that at least inhibits to a certain degree 
the private companies from doing that which we find creepy?
    Mr. Goodlatte. Congressman Buck, I would say that the more 
opportunities that the consumer has to decide for themselves 
whether or not they want to make certain information available 
to Google or other companies and control how Google might 
utilize that information, the better.
    Mr. Buck. I love the fight that goes on sometimes between 
Apple and Facebook and some of these other companies. I love it 
when two giants are fighting over something. There are 
occasions where Apple will assert certain privacy. I think they 
have a business interest, frankly, in asserting that privacy, 
but they will assert certain privacy on behalf of their 
customers.
    If we had 10 Googles, if we had a DuckDuckGo that was 
prominent, would that help solve part of this problem? If we 
had competition and there was a niche market for some consumers 
like you and I who just find it creepy that these companies 
know everything about us because we have the audacity to want 
to know how to get from point A to point B, from our home to a 
Christmas party at some coworker's that we have never been to 
before and we use a GPS device to get there. Now, they know 
everything and everywhere we have been. We just want to use 
technology in a way that benefit us, and yet they have this 
surveillance economy where they are creating this data profile 
on us. Is there a benefit to competition in the marketplace 
that could help deal with some of these issues?
    Mr. Goodlatte. Again, I think the more choices the consumer 
has in terms of how they can control or access their 
information that if one competitor; and Apple does promote this 
and DuckDuckGo does promote this, the more opportunities you 
have to choose I'm going to use this search engine, I'm going 
to use this operating system, I'm going to use this Gmail or 
email account, I think the better off the consumer is.
    Mr. Buck. In the last few seconds I have, how do we use the 
antitrust laws to try to expand competition and create that 
kind of opportunity for consumers?
    Mr. Goodlatte. Well, I think that antitrust laws definitely 
should be utilized to promote competition. Giving the consumer 
more choices is a benefit of more competition and, so Congress 
should always look it from that perspective.
    Mr. Buck. Thank you very much and I yield back.
    Ms. Ross. Okay. Mr. Raskin is recognized.
    Mr. Raskin. Could Ms. Scanlon go before me? Can we switch?
    Ms. Ross. Ms. Scanlon is recognized.
    Ms. Scanlon. Thank you so much.
    As more of our lives shift online, obviously robust digital 
privacy protections become more and more important and the 
immense cache of digital data that we each generate by carrying 
one or two smartphones or whatever it becomes really 
staggering. Obviously, legally we have to catch up some, and it 
seems as though the Supreme Court's kind of narrow and 
antiquated possibly interpretation of personal privacy rights 
is not meeting this moment.
    So, I had a couple questions. Ms. Goitein, is it? The 
Fourth Amendment guards against unreasonable searches and 
seizures and it has been interpreted by the Supreme Court in 
Katz to include a reasonable expectation of privacy. Do you 
think that Americans still have a reasonable expectation of 
privacy in their online browsing and cellular phone use when we 
hold that up against the Katz decision?
    Ms. Goitein. They absolutely do have a reasonable 
expectation of privacy. Whether the court will acknowledge that 
they have that expectation and honor it is the question that I 
think we're all asking.
    As I mentioned in my opening remarks, the Supreme Court has 
begun to catch up. The fact that the court recognized that 
people have a reasonable expectation of privacy in their cell 
phone location information, even though they quote, ``share'' 
unquote, that information voluntarily with the phone company, 
is a major step forward, because it means that even when 
information is stored by a third party--highly, highly 
sensitive information--the court might still be willing to give 
it protection.
    Unfortunately, the court very explicitly limited its 
holding in that case, Carpenter v. The United States, to the 
facts of that case, to historical cell phone location 
information collected by the police. It could be years before 
the court looks at, say, web browsing history, or DNA, or, 
communications metadata. Each kind of information, each 
technique by which it's collected and stored, each kind of 
company that stores it and shares it is going to be a different 
use case, a different fact pattern that comes before the court, 
and it's going to take years.
    Americans' Fourth Amendment rights should not hang in the 
balance during that period. That's why it's so important for 
Congress to step in and fill that gap.
    Mr. Scanlon. Yes, it is certainly something--you have 
raised several issues. First, this idea that we voluntarily 
turn over this data when it is voluntary. If you want to use 
the service, you end up forfeiting a lot of this data.
    So, what can we do? I mean we are in a situation where 
there are any number of things. We would like Congress to pick 
up the ball and enact legislation if we can get our Senate 
colleagues to go along. What do you suggest we do?
    Ms. Goitein. I think there's been broad bipartisan 
consensus here today among the Witnesses and among the Members 
that the Fourth Amendment Is Not For Sale Act is an important 
measure and that it should be passed quickly. What that law 
will do is close some of the gaps that technology has opened in 
the Electronic Communications Privacy Act, and also the Foreign 
Intelligence Surveillance Act. It will plug the gaps in 
existing laws that are allowing the government to evade those 
laws. That's something that can be done quickly and in a very 
straightforward way.
    At the same time, I think there's also been fairly broad 
agreement that it would behoove Congress to undertake 
comprehensive data privacy legislation. That's a big project, 
but Congress should throw itself into that effort.
    Mr. Scanlon. Thank you. Professor Wexler, we have heard a 
lot of concerns raised recently with the abortion bans that are 
going into effect in some States about how data could be used 
to track women's travel or attempted access to reproductive 
healthcare. Can you talk about how that relates to our 
harassment today with respect to concerns about law enforcement 
using data and how that compares to other criminal 
prosecutions?
    Ms. Wexler. Absolutely. Thank you for the question. It's a 
real concern. There's been a lot of discussion about period 
tracking apps and other reproductive health apps. Those do put 
pregnant people seeking medical care at risk, but it's not only 
those apps. It's location information. It's web search history 
information. It's chat messages, text messages. Unencrypted 
chat messages have already been used to charge one woman who 
miscarried with feticide and another with murder.
    So, the discussions the Committee is having now on data 
privacy are all the more urgent post-Dobbs, but I would urge 
the Committee not to stop at the Fourth Amendment Is Not For 
Sale Act or at a privacy statute, but enact an evidentiary 
privilege that would block Federal and State law enforcement 
access as well as civil litigant access. Thank you.
    Ms. Scanlon. Thank you. I yield back.
    Ms. Ross. Mr. Chabot?
    Mr. Chabot. Thank you very much. I want to thank the 
Witnesses for sharing their insight today so that we can get a 
better understand of the collection, use, and retention of 
personal data, which is obviously a very, very important issue. 
I would note that Chair Nadler and I worked together on 
something called the Defense of Privacy Act back in the day 
when I was actually Chair and he was Ranking Member of the 
Constitution Subcommittee, and something that we worked on 
pretty earnestly for quite some time. Back then our primary 
concern was the potentially unconstitutional collection of 
personally-identifiable information by government agencies.
    Today, most people voluntarily surrender far more 
information to private companies than the Federal government at 
that time ever thought about collecting. That is what makes the 
situation that we are discussing today so concerning to so many 
Americans. The breadth and depth of information about nearly 
every American held by private companies is breathtaking and 
can easily be abused if adequate safeguards are not in place, 
but domestic abuse of this information is not our only concern; 
we face significant challenges from abroad as well.
    In addition to serving on this distinguished Committee, I 
also serve as Ranking Member of the House Foreign Affairs Asia 
and Pacific Subcommittee, and on that Committee we strive to 
counter the immense threat the People's Republic of China 
poses, not only to Americans, but to the human rights of its 
own people.
    It is well known that the Chinese Communist Party uses a 
vast surveillance network to track, analyze, and manipulate its 
1.4 billion citizens. The CCP, the Chinese Communist Party, 
sees information as power. Their dream is a database that fully 
integrates everyone's movement, phone records, spending 
history, interactions with friends, health records, social 
media posts, and on and on into one giant web of surveillance.
    We are not China. The Fourth Amendment protects against 
warrantless searches and seizures. The Supreme Court has long 
interpreted the Fourth Amendment to safeguard the privacy and 
security of individuals against arbitrary invasions by 
government officials.
    Given the constant evolution of technology virtually 
everything about an individual nowadays is online, whether you 
intentionally put it there or not. Accordingly, Congress must 
continue to exercise oversight to ensure the reasonable 
expectation to privacy that is guaranteed under the Fourth 
Amendment. We have to make sure it is not compromised by law 
enforcement, by practicing purchasing bulk data information 
without a warrant, or by foreign actors who would steal the 
same information for their own nefarious purposes.
    So, now I will get around to a question. Chair Goodlatte, 
let me ask you this: How should policy makers balance the 
competing interests of the government's ability to prevent 
crime and the civil liberty interests to the American citizen?
    I would preface my question by noting that I know versions 
of that have probably been asked. I was actually in a Foreign 
Affairs Committee up to this point and so I apologize if you 
have already been asked that.
    Mr. Goodlatte. I don't think it's been framed quite that 
way, and that's a very good question. It's obviously very 
important for law enforcement to have the tools they need to 
prevent crimes, to solve crimes that have already been 
committed, and to effectively prosecute the individuals who 
perpetrate those crimes.
    I would argue that just in the last maybe two decades the--
it has gotten out of balance because the nature in which people 
store their data has changed so dramatically. Information that 
you didn't have stored, didn't have in writing anywhere at all 
in the past now is stored about every aspect of your life, and 
it's stored by a third party. So, the old adage that if you 
don't hold it yourself, you're not subject to a warrant if a 
third party holds it, they can get it without a warrant, that's 
got to be reviewed.
    The Supreme Court has recognized that in the Carpenter 
decision, in the Riley decision with regard to cell phones, 
with regard to geolocation information. So, I think it's 
important that the Congress recognize that if we wait for the 
courts to step up and not address the underlying doctrine 
itself and say that given the amount of information that is 
stored today that a new standard has to be set. That's what 
this bill attempts to do in terms of the information that can 
be garnered by law enforcement without having to get a warrant, 
without having to show probable cause that they need it.
    So, I think you can achieve that balance. I think law 
enforcement can be effective, but I think they do need to 
operate under new rules given the unbelievable amount of 
information that they can simply walk around the Fourth 
Amendment and buy now instead of having to comply with 
traditional doctrine.
    Mr. Chabot. Thank you very much. My time is expired 
actually, I think.
    Ms. Ross. Yes, thank you. Mr. Raskin is recognized.
    Mr. Raskin. Thank you, Madam Chair.
    Seems to me that most people believe as an abstract 
proposition that people have a privacy right, if not a property 
right in their own digital communications, their own digital 
history, although I don't know we have established that 
anywhere, and that might be something we really need to talk 
about.
    The problem is that when you get to a specific criminal 
investigation or a civil investigation and people know that 
there is a record out there relating to it, I think if you 
polled people at that point people would say well, if there is 
a record, then the record should be made available.
    So, I guess I'm asking what do we do about that basic 
problem? It seems like technology has a kind of momentum of its 
own and once the facts and the data exist, there is a sense 
that, well, the government should have access to it.
    So, Professor Wexler, let me ask you about that.
    Ms. Wexler. Thank you for the question. Evidentiary 
privileges exist: The attorney-client privilege, the spousal 
communications, the priest-penitent privilege. There is also a 
slew of statutory evidentiary privileges that Congress has 
enacted. Those shield existing data from law enforcement and 
civil litigants. They block warrants, they block subpoenas, 
they block discovery orders, they protect against wiretapping.
    If law enforcement accidentally over-seizes a privileged 
communication, they have to use a taint team to purge that 
content before delivering it to a prosecution team. So, 
privileges are more powerful than torts, than contracts, than 
fiduciary duties, and they are even more powerful than the 
Fourth Amendment. They exist for a good reason, and they could 
exist for abortion-relevant data. Thank you.
    Mr. Raskin. So, but what is the privacy privilege you are 
positing there, or you are arguing for?
    Ms. Wexler. Any abortion-relevant data could be covered. 
Now, this is the specifics of this would be something that the 
Committee would have to look into. I'd be happy to help however 
I can. It's certainly within the power of this Committee to 
identify especially sensitive data and protect it with a 
statutory evidentiary privilege.
    Mr. Raskin. Okay. So, Professor Wexler seems to be positing 
a specific policy cutout for an evidentiary privilege related 
to abortion-related travel or speech or so on, but we are also 
talking about the more general problem, right?
    Professor Goitein, let me come to you. The legislation I 
understand we are talking about is to prevent the government 
from purchasing information from data companies that it cannot 
otherwise obtain directly. Is that right?
    Ms. Goitein. That is right. It would not prevent the 
government from obtaining that record if it could meet the 
legal standard that would otherwise apply. So, if the 
government can either get a subpoena or a court order or a 
warrant under the applicable legal standard, it will have 
access to that record. That gets to both your hypothetical 
about people wanting their data to be private, but also, if 
there's a record in existence, wanting the police to have 
access if it will help with solving criminal activity.
    Mr. Raskin. At least access through some kind of legal 
mechanism.
    Ms. Goitein. Exactly. That also gets to Congressman 
Chabot's question. This is all about the balance between 
privacy and law enforcement, the legitimate needs of law 
enforcement, and that balance was established by the framers in 
the Fourth Amendment. Americans have privacy rights. Those 
rights can be overcome if the government can show probable 
cause to a neutral magistrate.
    Mr. Raskin. So, this is essentially the meta-technological 
equivalent of saying that if the government can't enter your 
home without a search warrant, they can't pay somebody who goes 
into your--who breaks into your home or otherwise gains access 
through some kind of duplicity saying that they are a carpenter 
or a plumber or whatever, right?
    Ms. Goitein. That's an excellent analogy.
    Mr. Raskin. Yes. So, how big a problem is this? In other 
words, has it become a habit of government to be able to 
purchase data from companies to essentially execute warrants or 
obtain evidence they would not otherwise be able to get?
    Ms. Goitein. It certainly seems that way. I will say again, 
I can't stress enough, that the government has been completely 
non-transparent about this practice. So, what we know, we know 
from investigative reporting, from non-governmental 
organizations that have done their own investigations, from 
lawmakers who have asked probing questions. From that, we get 
pieces of a puzzle, and those pieces leave no doubt that this 
is a widespread practice now among many Federal agencies, and 
State and local agencies as well.
    Mr. Raskin. Well, I thank you for that.
    Madam Chair, this sounds like very sensible legislation to 
me, and I will yield back to you.
    Ms. Ross. Thank you. Mr. McClintock is recognized.
    Mr. McClintock. Thank you.
    Mr. Goodlatte, there seemed to be two principles here. One 
is I feel very strongly about the Fourth Amendment's 
protections, and it seems to be very crystal clear. We have a 
right to be secure in our papers, those things that we either 
write down or say privately. In my view that would include 
metadata about those records. I would even go a step farther 
and say whether your papers or effects are stored at your home 
or are entrusted to some third party for storage, they are 
still private and they would require a warrant to search them 
under the Fourth.
    However, a person can waive these rights in a contractual 
agreement with another party if they wish to. If a person 
agrees to terms of service that allow disclosure of aspects of 
their private papers, seems to me they have that freedom. If 
they don't like the privacy provisions that accompany offers, 
they don't have to agree to it. They can choose a competitor or 
do without. I am old enough to remember when we did without all 
this digital technology. I don't for the life of me remember 
how we did without it, but we seemed to do so very nicely.
    So, my point is why should we interfere with the right of 
two parties to agree to terms of service? What is wrong with 
that.
    Mr. Goodlatte. Well, that's a separate issue from the core 
issue in the Fourth Amendment Is Not For Sale Act. I do think 
that it would be good for the Congress to look at that 
underlying issue that you refer to. Considering the fact that 
I'm not the most prolific user of the internet, but I counted 
yesterday. On my phone I have 160 apps. Most of those apps are 
gathering information about me and storing it. I don't--
    Mr. McClintock. Well, and by the way, I would assume a lot 
of those apps sell that information. That is how they make the 
money--
    Mr. Goodlatte. Right.
    Mr. McClintock. --to pay for the app and to provide you 
with that service.
    Mr. Goodlatte. Correct.
    Mr. McClintock. So, if they can't sell that information--
    Mr. Goodlatte. Correct. But they--
    Mr. McClintock. --wouldn't they have to charge me for the 
service they are now providing me for free, and how does that 
help me as a consumer?
    Mr. Goodlatte. Well, first, I think that the important 
thing there is that the consumer understands and has that 
choice.
    Mr. McClintock. Right.
    Mr. Goodlatte. That's a different issue than what's before 
us today.
    Mr. McClintock. Well, that is what it means to be a 
grownup. You have to read it and stand by your agreements.
    Mr. Goodlatte. Right. The Fourth Amendment does not apply 
to that transaction. The Fourth Amendment applies if the 
government wants to buy--
    Mr. McClintock. Because I have essentially waived--I have 
waived my right under the terms of privacy that I have agreed 
to exchange for the service they are providing me.
    Mr. Goodlatte. Correct. Did you waive your Fourth Amendment 
right to not have the government, which would otherwise be 
required to have a warrant or a subpoena or some other court 
order, to get that information just because you had a 
transaction with a company that got your information--
    Mr. McClintock. I have told the other party in that 
contract it is okay for you to sell certain information. You 
are bound by the terms of that contract. You can't sell 
information beyond that, but I have agreed to allow you to do 
that in exchange for the service that you are providing me.
    Mr. Goodlatte. I think that would--I think that's--
    Mr. McClintock. Why would we interfere with that is--
    Mr. Goodlatte. I think you're interfering with it because 
the government has that power that other entities might buy 
that information do not have.
    Mr. McClintock. Which is why we have a Constitution to 
restrain it, but that Constitution guarantees me not only my 
Fourth Amendment privileges against the government to come 
snooping into my affairs, but it also gives me the freedom to 
enter into contracts with others that we find mutually 
beneficial. I may find it mutually beneficial to get this free 
service in exchange for selling certain of that data. That is 
an informed consent that I have a right to as a consumer.
    Mr. Goodlatte. Right, but the sale of the information to 
the government puts the government in the picture as well and 
the Fourth Amendment is directed at the government not 
obtaining information without showing probable cause, without 
providing a warrant.
    Mr. McClintock. Let me ask you one other question on 
location data. It doesn't seem to me that this falls within the 
papers and effects definition. If someone observes your 
movements in public, that isn't a search or seizure. I observe 
you right here before me. Whether I make that observation once 
or 100 times a day doesn't really matter. How does location 
data fall within the Fourth Amendment?
    Mr. Goodlatte. Well, I'd have to go back to look at the 
Carpenter decision to interpret exactly how the court did that, 
but the court has held that, and courts have held that, under 
certain circumstances that information is protected.
    Mr. McClintock. Thanks. I yield back.
    Mr. Raskin. Would the gentleman yield for a question, or a 
point? Because I think you make a good point that maybe it is 
not unconstitutional, maybe it doesn't violate the Fourth 
Amendment for the government to go to one of the big companies 
and say we are going to purchase this data, but the question 
for us is the policy question: As citizens do we want our 
government engaged in the business of purchasing--
    Mr. McClintock. I understand that, but the flip side of 
that is, do we want our government interfering with our right 
to contract with providers for services that we may find 
appealing under the terms of that agreement? If they are 
providing--again, the alternative is if they are making money 
right now selling this data that I told them they can sell, but 
they are not allowed to do that anymore because we have stepped 
in, they are going to have to charge me.
    Mr. Raskin. Well, they can still do it--
    Mr. McClintock. They are going to have to charge the 
consumer for that service and I am not sure that is in my 
interest as a consumer.
    Mr. Raskin. They can still sell it to the rest of the 
world, but what we are saying is as citizens we don't want our 
government circumventing Fourth Amendment restrictions by being 
in that market.
    Ms. Ross. Gentlemen, your time has expired.
    Mr. Swalwell is recognized.
    Mr. Swalwell. Thank you. I want to focus on what access to 
locational data and personal data means with respect to living 
in a post-Dobbs world where a woman's right to reproductive 
freedom is now being infringed upon and we are seeing State 
efforts to try and track down patients who are crossing State 
lines to seek abortion services. The Attorney General of 
Indiana is investigating a doctor who performed a termination 
of pregnancy on a 10-year-old who had to leave Ohio after she 
was raped to go seek this service in Indiana.
    So, I have a lot of concerns about what this could mean in 
the future. I want to begin with the Republicans in the 
minority have promised that if they were to achieve the 
majority, if they were to win the House in November, that they 
are going to use broad subpoena powers in their new majority. 
So, my first question is for Professor Wexler. Professor 
Wexler, if Jim Jordan as Chair of the Judiciary Committee 
wanted to seek a patient's records or a patient's travels under 
locational data that is available, would he be able to do this 
with the amount of data that is out there?
    Ms. Wexler. Absolutely. The existing data would be 
vulnerable to such a subpoena. There is a wealth of data to 
track pregnant people's actions seeking medical care. However, 
if this Committee enacted an evidentiary privilege, that would 
also have the power to block a Congressional Subpoena.
    Mr. Swalwell. If Chair Jordan in a Republican majority 
wanted to go after doctors who perform abortion services or 
doctors who are in communication with patients, is there enough 
data out there that under the law today he would be able to do 
that?
    Ms. Wexler. Yes, there is.
    Mr. Swalwell. If Chair Jordan in a Republican majority 
wanted to go after abortion service providers to understand who 
they are communicating with, would he be able to subpoena this 
type of data?
    Ms. Wexler. Yes, he would. Existing privacy statutes like 
HIPAA would not prevent that even though they apply to 
traditional medical service providers because they have 
exceptions for law enforcement access, and that would apply for 
Congress. I'm also certainly--I'm almost certain. I could 
double-check that and provide confirmation for the record.
    Mr. Swalwell. In a Republican majority would Chair Jordan 
be able to subpoena companies who provide travel reimbursements 
or travel to employees who have to leave their State to go to a 
State that can provide abortion services?
    Ms. Wexler. Yes.
    Mr. Swalwell. Crisis pregnancy centers which continue to 
skyrocket as States across the country ban abortion are faith-
based groups that often misrepresent themselves as reproductive 
health clinics. Their mission is to dissuade pregnant women 
from having abortions at any cost. A recent Time Magazine 
investigation shined a light on how far these centers will go 
to harm women who are seeking essential health services.
    In fact, the Time study found that these centers collect 
substantial sensitive data on women who come to them for help 
including addresses, marital status, demographic information, 
sexual and reproductive histories, test results, ultrasound 
photos, and information shared during consultations.
    Because crisis pregnancy centers are not licensed medical 
clinics and offer their services for free, they are not legally 
bound by Federal health data privacy law. Furthermore, these 
clinics often do not employ privacy notices which prohibit data 
obtained from being sold to the highest bidder.
    Professor Wexler, can you explain how crisis pregnancy 
centers would be able to weaponize data against women who are 
merely seeking additional resources when they aren't able to 
obtain an abortion in their State?
    Ms. Wexler. Well, any private entity who obtains data that 
would identify people who are seeking abortions could 
voluntarily hand that information to law enforcement who could 
use it for antiabortion prosecutions, or under some State 
statutes they could sue as civil plaintiffs as well.
    Mr. Swalwell. So, you are telling me that a woman who is 
making the very personal decision about whether or not she 
wants to have a pregnancy and have a baby could go to a 
pregnancy center, consult with the employees at the pregnancy 
center, and that they would be able to obtain data under the 
law as it exists today and turn it over perhaps as a bounty as 
you would be able to do in Texas, if they believed that she was 
going to have an abortion?
    Ms. Wexler. That's correct.
    Mr. Swalwell. I yield back.
    Ms. Ross. Mr. Tiffany is recognized.
    Mr. Tiffany. Thank you, Madam Chair. I am assuming the 
gentleman from California wasn't referring to the bounties that 
have been put on Supreme Court Justices.
    Mr. Swalwell. Would the gentleman yield?
    Mr. Tiffany. We heard the conjecture that was going on--
    Mr. Swalwell. Would the gentleman yield?
    Mr. Tiffany. No, I will not.
    Mr. Swalwell. Well, you asked me a question.
    Mr. Tiffany. No, not a chance.
    Mr. Swalwell. I wasn't referring to that and I condemn all 
violence. Why don't you do the same?
    Mr. Tiffany. May I have my time back?
    Mr. Swalwell. You do the same.
    Mr. Tiffany. May I have my time back?
    Mr. Swalwell. You condemn violence; I will do it, too.
    Mr. Tiffany. May I have my time back? The gentleman that 
was referred to in the previous question, Representative 
Jordan, he actually spoke favorably earlier in this Committee. 
I think we all heard that. He spoke favorably towards this 
bill. To do all this conjecture is just to scare people and it 
is really unfortunate.
    Ms. Goitein, you heard the exchange with Representative 
McClintock earlier, and would you like to comment on what you 
heard there and are there protections in place that should be?
    Ms. Goitein. Sure. The notion that when a person accepts 
the terms and conditions of an app, that this is an equal 
negotiation between parties in which voluntary choices are made 
and everybody leaves with what they wanted out the transaction, 
belies the reality of these situations, where first, the 
consent is not truly informed consent. If you look at these 
privacy policies, these terms and conditions, apps will often 
say that they will not disclose your data to the government and 
that they will not disclose your personal data at all, but they 
will not tell you that they are going to disclose your data in 
aggregate or in an anonymized fashion to other entities that 
may very well disclose it to the government.
    I have yet to see a privacy policy that actually says, 
We're going to give your data to third parties and those third 
parties can do whatever they want with it and even though we 
have de-anonymized it, you can be identified. It can be traced 
back to you. I haven't seen that policy. I don't know how many 
people would readily consent to it.
    That brings me to the second point, which is whether there 
is actually truly a choice here to consent, because this is the 
business model, certainly for free apps. If you are not paying 
for the product, you are the product. If you decide that you 
don't want any of these companies to share your data, you are 
effectively saying that you're not going to use apps, which is 
another way of saying you're not going to participate in the 
conveniences of modern society.
    The Supreme Court in Carpenter was very clear that the 
Fourth Amendment does not require people to choose between 
their Fourth Amendment rights and participating in modern 
society. So, I think the analogy just doesn't hold up.
    Mr. Tiffany. So, are you somewhat saying that there are 
different forms that they deliver this message, or these 
messages, or your information to the government? Is that 
accurate?
    Ms. Goitein. That's certainly accurate, yes.
    Mr. Tiffany. Okay. Earlier we had some allusion to ICE and, 
Ms. Lamdan, I'd like to address a question to you. We were 
talking about limitations of using data and what this bill is 
all about. When it comes to protecting our border, including we 
have had the greatest number of known terrorists that have 
crossed our border, should all these limitations that we are 
talking about here today--should they all be in place for 
people that want to come illegally into our country?
    Ms. Lamdan. Everybody whose data is being used by law 
enforcement should have transparency and notice around that. I 
think that just applies to all humans who make these, as Liza 
pointed out, not really illusory agreements, right? We're all 
agreeing. We're all volunteering to give our data over, but 
it's to move about with our phones or just do the basic things 
of life. I think that there's a balance between not letting law 
enforcement use the data at all, which is not what we're 
advocating for, but between giving people notice and 
transparency that, hey, your data will be used in this way.
    Mr. Tiffany. So, the Biden Administration is giving out 
phones that are probably tracking people coming into the 
country illegally or organizations like the organization for 
immigration--international organization. Should they be able to 
use that data with those tracker phones that are coming in?
    Ms. Lamdan. Law enforcement should be able to do the work 
of law enforcement as long as warrant requirements and due 
process is given. So, as long as there's notice and probable 
cause.
    Mr. Tiffany. One more question.
    Thank you very much. Representative Sensenbrenner was the 
Chair of this Committee. Mr. Goodlatte, you served with him. He 
wrote an article six months ago. It was ``The PATRIOT Act 
Wasn't Meant to Target Parents.'' Where did the PATRIOT Act go 
off track?
    Mr. Goodlatte. Well, I think the PATRIOT Act went off track 
in not defining some of the areas that set parameters around 
government gathering data. So, that's why we have the USA 
FREEDOM Act that followed on. It was intended to cover the 
government's acquisition of mass data from telecommunications 
companies, but it was also intended to be a broader ban on 
government gathering mass data.
    Now, I think that should cover some of the problems that 
we're experiencing today, but lawyers for the government have 
gone right around that and said well, as long as we're buying, 
we don't have to comply with the law or the Fourth Amendment.
    Mr. Tiffany. I wish I could pose a lot more questions, but 
I will yield back.
    Ms. Ross. Okay. Ms. Jackson Lee, you are recognized.
    Ms. Jackson Lee. I thank the Chair very much. I thank the 
Witnesses. I thank Chair Nadler, Ranking Member, for holding 
this hearing. We, the Judiciary Committee, are being definitely 
tasked in our responsibility, so I am grateful to have this 
opportunity.
    It is good to see Chair Goodlatte. We worked together on a 
number of these initiatives, including the Patriot Act, where 
the Judiciary Committee had to save America from violations 
that would have undermined their right to privacy and their 
rights under the Fourth Amendment without jeopardizing our 
national security.
    Let me pose this example: In 2018, Mississippi mother 
Latice Fisher was charged with second degree murder and held 
for several weeks on $100,000 bond after experiencing a 
stillbirth. Evidence used in her indictment included online 
search history taken from her cell phone that showed search 
terms related to inducing miscarriage and medication abortion.
    Then, in 2019, prosecutors in Ohio used a teen's online 
search on how to get rid of a baby as evidence that she killed 
her newborn in a murder case where the teen was ultimately 
acquitted. We want justice. We want justice in a fair way.
    Professor Wexler, can you speak to how broad the use of 
data and invasion of privacy can be in the name of law 
enforcement and law enforcement's responsibility and 
responsibilities that criminal courts would think that they 
would have?
    Ms. Wexler. Absolutely. So, data can be abused at all 
stages of the pipeline and it is essential to have some privacy 
regulations that restrict law enforcement access, but even 
restricted access, even probable cause warrants will not 
protect pregnant people seeking medical care from antiabortion 
prosecutions. To do that this Committee would need to enact an 
evidentiary privilege which would be stronger than existing 
privacy or confidentiality statutes. It would be stronger even 
than the Fourth Amendment. It would preclude the use of 
abortion-relevant data in investigations or in trials.
    Ms. Jackson Lee. I think that if I can pursue this with 
you, I would not have ever imagined ourselves to be in this 
predicament. One, Roe v. Wade being obliterated by the court, 
50 years of precedent. Then in a new world of technology where 
data is everywhere. Would you comment on the data brokerage 
firms and how they gather this information in the sense that it 
can be every aspect of your life?
    Ms. Wexler. So, this is a really important question. Thank 
you for the question. I actually think that other Witnesses may 
be better able to speak as fact Witnesses to the data brokerage 
firms, so I want to yield my--if possible, to another Witness 
to answer that question.
    Ms. Jackson Lee. Ms. Lamdan?
    Ms. Lamdan. Yes, I'm happy to answer that question. So, 
you're absolutely correct that these data brokering firms get 
data from thousands of sources and they don't reveal--there's 
no transparency around what these sources are. So, they could 
easily have all the data that you're concerned about and then 
they engage in licensing contracts with State, local, Federal 
law enforcement, and other agencies. The agencies can use that 
data however they'd like. There's no oversight or supervision 
about how the agencies are using these data, these data 
products.
    Ms. Jackson Lee. Chair Goodlatte, I have a moment. What 
should Congress be doing? This is so vast. It is how should I 
say, it continues to metamorph into new technology. What should 
Congress be doing?
    Mr. Goodlatte. Well, I think a great first step would be to 
pass the Fourth Amendment's Not For Sale Act that's been 
introduced by Chair Nadler. We've heard from Members on both 
sides of the aisle today who've given it good reviews. So, 
there may be some additional work there. I know some Members 
have some amendments they'd like to offer, but perhaps the 
Committee could work in a bipartisan way to finalize that 
legislation and pass it out of the Committee. Then there would 
be a lot of people on the outside--certainly my organization, 
the Project for Privacy and Surveillance Accountability would 
be very committed to working to get that legislation passed 
through the Congress.
    Ms. Jackson Lee. Thank you so very much, Madam Chair. Thank 
you to the Witnesses. I yield back.
    Mr. Stanton. [Presiding.] Thank you. Mr. Bentz, you are 
next.
    Mr. Bentz. Thank you, Mr. Chair.
    Director Goitein, it has been suggested by a number of 
different people and commentators and others that if 
appropriate data had been gathered and appropriate algorithms 
applied the tragic situation in Uvalde could have been avoided.
    Ms. Goitein. Sorry, which tragic--
    Mr. Bentz. The tragic situation in Uvalde, Texas could have 
been avoided. So, how would you respond to someone who suggests 
that data be used in this fashion?
    Ms. Goitein. It's always easy to say that in retrospect. 
It's always easy to say oh, if we went back and looked at that 
person's social media posts, we would have known. The reality 
is that the number of people who post on social media the kinds 
of things that some of the people who do engage in violent acts 
post is astronomically larger than the number of people who 
actually take violent action. It is notoriously difficult to 
predict who is going to engage in violence. So, while it's 
tempting to say that if we could go back and get access to this 
person's social media feed or to their data, we would find the 
silver bullet that would tell us that this person was going to 
do what they did--that's very, very tempting--it's not the 
reality.
    Mr. Bentz. Thank you.
    Ms. Goitein. Yes.
    Mr. Bentz. Chair Goodlatte, first thank you for coming to 
my office and sharing with me your thoughts regarding some of 
the challenges we face on this Committee. I deeply appreciate 
the time you took.
    So, at what point does the gathering of data by private 
companies become violative of civil law? In other words, it has 
often occurred to me if everyone knew exactly how our data was 
manipulated, molded, folded, and utilized, we wouldn't be happy 
about it. I have often thought back to law school days and 
thought about civil claims such as fraud and the inducement in 
that thing. So, are there any grounds do you think for a 
private party to become a plaintiff in a civil law suit based 
upon inappropriate use gathering and then directing of a data?
    Mr. Goodlatte. It's a really interesting question. I think 
that without more of a legal structure to put constraints on 
the gathering of the information unless they gathered it 
through some kind of subterfuge, they actually broke into a 
computer system and stole the information, they may not face 
the kind of liability that you and I might think there might be 
some grounds for.
    I really think that this technology has gotten so far out 
ahead of society in general, and the Congress in particular, 
that it's time for the Congress to look at this broader issue, 
not just the issue that's before the Committee today with 
regard to government buying the data, but the broader issue and 
what kind of liability should arise from that. I think that's 
about all I could offer at this point.
    Mr. Bentz. Thank you. The second question back to Director 
Goitein, and it has to do with the sweeping up of massive 
amounts of data. Then the assertion that's been made by several 
of you over the last couple of hours has been that all will be 
well if we simply go get a warrant for probable cause. Yet, the 
grounds upon which that warrant would issue are dramatically 
different than what they were back when I used to do very badly 
criminal law defense work.
    So, how can anybody say the old standard of probable cause 
makes any sense whatsoever when the data in front of them is so 
massive and so different shall we say than that which we used 
to present when anticipating a criminal action?
    Ms. Goitein. Well, first, I would say that a number of the 
different categories of data that we're talking about actually 
would not require a warrant. They might require a subpoena, or 
they might require what's called a D order under the Electronic 
Communications Privacy Act. Not all information is Fourth 
Amendment protected information that requires a warrant. 
Geolocation information is one of the main commodities that's 
being purchased. That should be protected by a warrant.
    In terms of how the warrant requirement has evolved I think 
that's probably a better question for Professor Wexler. I'm 
sorry to say I don't know enough about that.
    Mr. Bentz. Let's hop to her very quickly. Professor Wexler, 
what do you think?
    Ms. Wexler. Thank you. Well one thing that's changed is 
that when law enforcement collects data, it doesn't necessarily 
know flaws in the collection method. So, hacking was brought 
up. If hacking was engaged in by a private entity and then that 
information was laundered through a series of data brokers, 
even if law enforcement obtained a warrant at the end to 
purchase it downstream, they might not get access to that 
extremely important exculpatory information that the defense 
would need to know.
    So, one thing the Committee might consider is adding 
additional requirements in these contexts beyond probable cause 
to identify and gain possession of exculpatory or impeachment 
material that law enforcement, otherwise wouldn't obtain and 
that's essential to protect defendants' Brady and statutory 
discovery rights.
    Mr. Bentz. Thank you. Mr. Chair, I yield back.
    Mr. Stanton. Thank you very much. Ms. Jayapal is 
recognized.
    Ms. Jayapal. Thank you, Mr. Chair. It is good to see you, 
Chair Goodlatte.
    I wanted to focus my comments on another part of sensitive 
data, which is face recognition technology. This is also an 
area where we have had a lot of bipartisan interest. There is a 
lot of sensitive personal information that is requested 
constantly from law enforcement from both commercial brokers 
and State government to surveil the public with face 
recognition technology. Face recognition technology is up to 
100 times more likely to misidentify people of color. There are 
very few guardrails in place to regulate the use.
    The unregulated application of this technology to our most 
sensitive information, our faces, is precisely why I introduced 
the Facial Recognition and Biometric Technology Moratorium Act, 
which presses a pause. It doesn't say never, but it presses a 
pause on unregulated government use of face recognition and 
biometric monitoring.
    This past year, the IRS planned to contract with ID.me, 
requiring anyone accessing their tax records online to upload 
images of their photo IDs and a live video of their face with a 
computer or a smartphone. While the IRS ultimately abandoned 
this plan, ID.me still has contracts with 10 Federal agencies 
and 30 States. In fact, there is an entire market of commercial 
platforms that collect sensitive data from users to sell to the 
government.
    Because I want anybody who is watching this hearing to 
understand what pieces of data, I am going to direct some 
questions at you, Professor Lamdan. You can just answer yes or 
no, in terms of whether this information is available to the 
government.
    So, the LexisNexis Digital Identity Network collects and 
processes people's online log-ins, payments, and new account 
applications. Is that information available to the government?
    Ms. Lamdan. Yes.
    Ms. Jayapal. Babel Street collects digital device location 
data derived from online advertisers and popular mobile apps. 
Is that information available to the government?
    Ms. Lamdan. Yes.
    Ms. Jayapal. Clearview AI uses facial recognition 
technology to harvest and store millions of photos from social 
media users across multiple platforms. Is that information 
available to the government?
    Ms. Lamdan. Yes.
    Ms. Jayapal. So, these are just examples of the many ways 
in which, if you are just using the internet, you are using 
programs, your information is accessible.
    Now, the Federal government also uses face recognition 
technology to analyze State-level data. Since 2015, U.S. 
Immigration and Customs Enforcement has performed face 
recognition scans of driver's license databases in at least 14 
States. Up until the discovery of this practice in 2018, this 
included my home State of Washington.
    Professor Wexler, are immigrants the only people whose 
licenses are being process here, or does it go way beyond that? 
What Fourth Amendment--let me just add to that--what Fourth 
Amendment implications does this have for every person in the 
country?
    Ms. Wexler. It goes way beyond this. Everybody's 
information is being collected and their faces are being 
included in DMV and other databases. So, this is an issue that 
affects all of us.
    Ms. Jayapal. Driver's licenses, when you think about it, we 
use it for everything--I mean, literally, everything.
    So, Professor Lamdan, just stay with ICE for a minute. How 
does ICE's use of facial recognition technology on State 
driver's licenses impact people's lives, and are there impacts 
on public safety or health?
    Ms. Lamdan. Yes. So, that is why I think the title of 
today's hearing is dragnet, right? They don't just pick out 
particular driver's licenses. They sift all our driver's 
licenses and all our data through these systems, these 
predictive policing systems, predictive analytic systems, and 
especially in the case of like driver's licenses and car 
tracking.
    There have been fatal car chases. There have been all sorts 
of incidents where people's lives have been put at risk due to 
kind of this data tracking and people's use of data--or I'm 
sorry--ICE's use of data.
    Ms. Jayapal. So, it is really not that ICE is just focusing 
on immigrants. As they go through, they are going to take the 
entire scope of driver's licenses that are there and analyze 
anybody's?
    Ms. Lamdan. Yes. Exactly. They are going to sift 
everybody's data through their system, and they have access to 
everybody's data. As you said, these systems tend to 
discriminate and have biases, and have just kind of errors in 
them that tend to target certain types of--like you said about 
facial recognition, it tends to disproportionately misidentify 
people of color. So, yes.
    Ms. Jayapal. Thank you. I think it is important for people 
to understand--and I am glad for this hearing because the 
Federal government has built out a very invasive and 
unregulated surveillance infrastructure through the use of 
these technologies, including face recognition technology.
    I had a question for you, Chair Goodlatte, but I am out of 
time. So, I thank you again for being here.
    I yield back.
    Mr. Stanton. Thank you. Mr. Owens?
    Mr. Owens. Thank you, Mr. Chair, Ranking Member, and 
Witnesses, for holding this very important hearing today.
    First, let me just start off by saying that I applaud this 
bipartisan approach that this Committee has taken in terms 
access to our personal data, and I look forward to supporting 
this legislation.
    I also want to thank my friend, Brett Tolman, for his 
participation as a Witness. Mr. Tolman has a long and 
distinguished career and service in my State of Utah, where he 
is a U.S. Attorney. He has since been an innovative and fair 
voice in criminal justice reform, among other important issues.
    Mr. Tolman, Ranking Member Jordan earlier discussed a 
little about tracking of citizens for political reasons. I want 
to leave the remainder of my time for any thoughts you might 
have on that or anything else that you might want to add to 
this conversation.
    Mr. Tolman. Thank you, Representative Owens. It is great to 
see you again and to be among discussions of such an important 
topic.
    I would say that the recognition that it goes both ways, 
that power can be abused, no matter the political affiliation, 
is very important. We have heard a lot of discussion about what 
could be done for those that may be seeking an abortion in some 
of the States, but it is equally as frightening to hear about 
the potential use, based on someone's vaccination status, for 
example, whether they believe in natural immunity. A lot of the 
medical and health issues that we have discussed and seen over 
the last two years with COVID have really brought to the 
forefront the ability of the government to justify its use, 
depending on the circumstances that it is currently enduring.
    I believe that this can go back and forth, depending on the 
political power that is currently in Washington, DC, or in our 
State capitals, or across even our local and State 
jurisdictions. We have seen that, when the Department of 
Justice identifies a cross-section of individuals it is 
concerned about, you hear language frequently suggesting that 
they are a domestic threat, for example, or they may pose a 
domestic threat. This is language that allows them to broaden 
their capabilities and use surveillance to that end. It should 
be frightening, and I am encouraged that the Congress is taking 
these issues up.
    Mr. Owens. Thank you so much, again, for your service.
    I yield back.
    Mr. Stanton. Thank you. Now, more than ever, the private 
details of Americans' lives are for sale. As a consequence of 
our connectivity, technology companies, smartphone apps, and 
data brokers scoop up our sensitive data, ranging from our 
internet searches to our home addresses, to our cell phone 
locations, and neatly package them to sell in the marketplace 
to other citizens, to foreign actors, and to the United States 
Government. While brokers claim the data they sell is 
anonymous, these companies maintain databases so large and 
aggregate so much personal information that we all may be re-
identified by savvy purchasers of that data.
    What is more, that data collection has been utilized by law 
enforcement to modernize investigative tactics, relying on 
warrants obtained through geofencing, keyword searches, and 
cell site location information. While these tactics have aided 
law enforcement in many cases, abuse of these warrants and 
authorities have led to numerous civil rights violations, 
particularly of the Fourth Amendment's protections.
    For instance, in my home State of Arizona, a man was 
wrongfully arrested, interrogated, and imprisoned, and accused 
of murder, all because his Google location data indicated that 
he had been in the vicinity of a shooting. As The New York 
Times put it, such location data, quote, ``can help solve 
crimes, but it can also snare innocent people,'' unquote, as it 
did in this particular case.
    It is not just law enforcement's ability to access this 
data that causes me alarm. In our post-Roe world, in the wake 
of several States proposing or enacting bounty-style laws which 
reward vigilantes for reporting their neighbors and community 
Members to police, I have grown increasingly concerned about 
the safety of those seeking medical care or even just medical 
information about reproductive health.
    In fact, I joined many of my House colleagues in calling on 
the FTC to use its full authority to ensure that data brokers 
are protecting users' privacy and to strongly enforce privacy 
standards against data brokers who break the best practices, 
including by prosecuting their illegal actions.
    It is clear that this issue is not going away, and Congress 
must take action to legislate on privacy.
    Professor Wexler, in the Arizona case I described, a man 
was publicly and falsely accused of murder based upon his 
Google location data. How do geofence warrants create 
situations for mis-
identification and wrongful arrest?
    Ms. Wexler. So, it is a really important question. I am 
actually not an expert on the Fourth Amendment. My research 
focuses on criminal defendants' access to data. So, I think 
another Witness maybe would be better to speak on geofence 
location warrants.
    Mr. Stanton. Thank you. Any other Witness who would like to 
speak on the issue of geofencing? Please.
    Ms. Goitein. I would be happy to speak. Geofence warrants 
are when the government goes to Google with a warrant and 
requests the information for all the cell phones within a 
particular geographic location for a particular time period. 
The government can then look for suspicious patterns of 
movement and use that to try to figure out who committed 
whatever crime they are investigating. Google received more 
than 11,000 of these warrants in 2020 alone.
    Even though the government has a warrant, there is a major 
Fourth Amendment problem with these warrants. The Fourth 
Amendment has something called a particularity requirement, 
which, roughly, means the government has to show probable cause 
that searching a particular place, a particular home, or a 
particular device will yield evidence of a crime.
    Usually, the way that works is that the government has a 
suspect, they can show probable cause that they committed the 
crime, and they therefore have a justification for searching 
that person's home or device, or what have you.
    Geolocation warrants work in reverse. They allow the 
government to obtain the Fourth Amendment protected information 
of dozens, hundreds, maybe even thousands of people, even 
before the government has a suspect. It is the equivalent of 
searching every home in the neighborhood of a crime to figure 
out who committed it. As you can imagine, if you are just 
looking for suspicious movements, and then deciding that this 
means that somebody is your suspect, that is going to result in 
a fair number of false flags.
    Mr. Stanton. Let me ask a follow-up question. Could a 
geofence warrant be used in the case of an abortion provider, 
for instance, to identify employees or patients of that medical 
facility? If so, what harms could occur because of that 
identification?
    Ms. Goitein. Yes. A geofence warrant can be used for any 
purpose. There does have to be a crime that the government is 
investigating because there is a warrant involved. At that 
point, the government can pull in the information of everyone 
who was at or near a healthcare provider that provides abortion 
care services.
    That will, of course, probably sweep in a lot of people who 
were shopping at the convenience store next door or who were at 
the provider for reasons other than abortion care, as well as 
obtaining Fourth Amendment protected information of women who 
are seeking abortion care without meeting the legal standard 
that needs to be met under the Fourth Amendment and under the 
laws Congress has passed to obtain that information.
    Mr. Stanton. It is a scary proposition.
    Thank you. I yield my time back. Next, I will recognize Mr. 
Fitzgerald.
    Mr. Fitzgerald. Thank you, Mr. Chair.
    Chair Goodlatte, thank you for being here today. It is good 
to see you.
    FISA exists to enable the government, obviously, to conduct 
counterintelligence and counterterrorism operations. When other 
criminal activity is incidentally discovered, it can be noted 
and passed on to the appropriate authorities, obviously.
    I don't think FISA was meant to be kind of this treasure 
trove of information that law enforcement has kind of 
discovered is very readily available and kind of at their 
fingertips, until it was continued to be relayed to them on a 
regular basis that all they had to do is come up with the 
request.
    It is such a massive database and there are so many other 
communications, some of them foreign-related and international. 
The problem is that some law enforcement agencies have used 
kind of the national security information as predicated to be 
unrelated to national security originally. The issue is, then, 
they are hiding the origin of the cases from the judges and the 
defense attorneys.
    So, I was wondering, when you guys looked at this--and when 
it has been before Congress now, there were some guardrails put 
in place. Do you think law enforcement has jumped those 
guardrails or are operating outside of those guardrails? If 
they are, what could we do to bring that back together?
    Mr. Goodlatte. I do think they have jumped the guardrails. 
In the Congress, this Committee, in particular, is going to 
have an opportunity next year to take up the form of section 
702. That is a very important provision in FISA that allows the 
gathering of information about non-citizens outside the United 
States. Incidental to that, lots of information is gathered 
about U.S. citizens, and that information is, then, shared with 
U.S. law enforcement agencies, particularly the FBI.
    We think that there are not enough guardrails to require 
that the FBI show probable cause before they tap into that 
database to examine the information that they have at hand. So, 
that is an opportunity to take up in the future.
    Another way around that has been for law enforcement--and 
other government agencies, by the way; we are not just talking 
about law enforcement agencies; we are talking about almost any 
agency of the Federal government and almost any agency of a 
State or local government to buy information. That is the 
subject of the Fourth Amendment Is Not For Sale Act, which we 
have heard a lot of bipartisan interest in here today, which I 
think is a very good thing.
    Mr. Fitzgerald. Thank you. Thank you very much.
    Mr. Tolman, I wanted to direct a question to you as well. 
CBP and ICE have spent literally millions of dollars on 
contracts with data brokers like Venntel and LexisNexis. These 
contracts are intended to help the agencies enforce immigration 
laws, but there is a concern among many Members of Congress 
that somehow this information is being gathered on American 
citizens and being collected.
    I am just wondering if you wanted to comment on that? Or, 
certainly, that is a concern, even if you can't verify or 
underscore that it is actually happening.
    Mr. Tolman. Yes, no question, it is happening. No question 
that these brokers, you know, the amount of data points that 
they are able to gather is enormous.
    Keep in mind that you are also dealing with a situation in 
which the government, whereas, in times past they might have 
had a fingerprint database that came as a result of someone 
being arrested, and then, they have a database full of that, or 
DNA evidence of suspects that were brought in, that is very 
different than regular citizens of the United States, which 
have much of the data that could be pointed towards them, and 
sometimes falsely pointed towards them, for commission of a 
crime.
    So, we should be concerned, and we have to be very 
concerned about the robust nature of the databases that are 
being purchased by our government agencies.
    Mr. Fitzgerald. Yes, I think one of the other issues is 
this lackadaisical kind of approach, and I think any American 
citizen who is not really in tune to this says, I have nothing 
to hide. Who cares if they gather this information and box it 
up, and put it into some kind of dataset?
    That is another concern that I think Congress has to 
address. What are your thoughts on that as well?
    Mr. Tolman. Yes, I 100 percent agree. All my family 
believes TikTok is very innocent and fun and the most enjoyable 
part of their day. Yet, we are watching just the potential for 
our privacy rights to be violated at enormous levels. So, I 
hope Congress is our last hope to fix it.
    Mr. Fitzgerald. Very good. Thank you.
    Mr. Stanton. Thank you very much. I now recognize Ms. Ross.
    Ms. Ross. Thank you, Mr. Chair. Thank you to all our 
Witnesses for being here.
    The Fourth Amendment is supposed to protect Americans 
against unreasonable searches and seizures. However, the Fourth 
Amendment remains dangerously undefined in the wake of 
technological advances, and we have discussed that for several 
hours here.
    Today, it is nearly impossible to avoid technology, and 
therefore, nearly impossible to avoid the consequences of using 
technology, including the availability of personal data getting 
into the hands of interested parties.
    The Supreme Court recognized this reality in 2018, in the 
Carpenter case, which found that the government must obtain a 
warrant supported by probable cause to access cell site 
location information of more than seven days in most 
circumstances. In its decision, the court noted that the 
services--cell phones--that are so pervasive, they are an 
insistent part of daily life, and that carrying one is 
indispensable to the participation in modern society.
    More recent cases have also extended Fourth Amendment 
protection to personal data. Earlier this year, Judge Hannah 
Lauck ruled in the United States v. Chatrie case that law 
enforcement's use of Google location data to find people near a 
scene of a 2019 bank robbery violated the protections 
guaranteed by the Fourth Amendment. She noted her deep concern 
that current Fourth Amendment doctrine may be materially 
lagging behind technological innovations and emphasized the 
``analysis of geofences does not fit neatly within the Supreme 
Court's existing `reasonable expectation of privacy' doctrine 
as it relates to technology.''
    Notably, both the Carpenter and the Chatrie rulings 
highlight the fact that users often do not consent to the 
surveillance they find themselves under, or they consent once 
when setting up their accounts, without recognizing the amount 
of personal data that can be accessed from their phones for 
years to come.
    While some laws, including the Electronic Communications 
Privacy Act of 1986 and the Privacy Act of 1974, have attempted 
to provide some degree of protections, and we have had some 
later attempts, the last attempts are older, include loopholes, 
and they allow government authorities to buy private data from 
data brokers without a warrant, as we have discussed.
    We, clearly, need a better understanding of the extent of 
Fourth Amendment protections in the Digital Age and new 
standards for ensuring consumers comprehend how their data can 
be used.
    I would like to ask--I know we only have two minutes left--
each of our Witnesses to say what one change they would ask 
Congress to make in evolving Fourth Amendment jurisprudence 
that would make a difference in the daily lives of our 
constituents. I will start with Ms. Goitein, since she looked 
like she was thinking, and then, we can move along the way.
    Ms. Goitein. I'm conflicted. Do I have to pick one?
    Ms. Ross. Well, I am sure somebody will pick the other one.
    Ms. Goitein. There's the long-term and the short-term.
    I'm sorry, I'm fighting the premise--
    Ms. Ross. Pick two. Pick two. Go ahead.
    Ms. Goitein. Okay. In the short-term, Congress should pass 
the Fourth Amendment Is Not For Sale Act. That will go a long 
way toward closing the loopholes in existing laws, and those 
loopholes are what are allowing the government to buy its way 
around the Fourth Amendment.
    At the same time, I would begin the project of 
comprehensive data privacy regulation because we need it. We 
need laws that limit what information companies can collect; 
how long they can store it; who they can share it with; and 
what kinds of consent they need to share it.
    Ms. Ross. Okay. Chair Goodlatte?
    Mr. Goodlatte. Well, following along the lines of 
protecting our Fourth Amendment rights, I would call attention 
to something we haven't talked much about here today, and that 
is the fact that, when the FISA court issues warrants allowing 
for the surveillance of various parties that are brought to the 
attention of the court, almost always there is only the 
government and their making the argument that they should have 
the opportunity to do the surveillance.
    I think there are a number of circumstances, particularly 
when civil rights, religious organizations, political 
campaigns, and other important things are being involved in 
surveillance, that there ought to be somebody not representing 
the target of the investigation, but somebody representing the 
public's interest in protection against unlawful searches and 
seizures.
    I know you have taken an interest in that legislation. 
Congressman Stewart has. In the Senate, it's known as the Lee-
Leahy or Leahy-Lee Amendment that was offered to FISA a couple 
of years ago. I think that would be a very important 
contribution.
    I agree with Liza, right now would be to pass the Fourth 
Amendment Is Not for Sale Act.
    Ms. Ross. It is up to the Chair whether the other--
    Mr. Stanton. A brief answer by the other Witnesses, please.
    Ms. Lamdan. All right. In addition, of course, to 
everything that Chair Goodlatte and Liza just said, I'd also 
ask everybody to take a look at the Privacy Act of 1974. I'm an 
administrative law professor, so everything for me goes back to 
administrative law. That law was actually based on something 
called the Fair Information Practice Principles, which give a 
lot of due process requirements, like transparency and notice, 
and like consent requirements before massive data collection 
happens by the Federal government.
    Mr. Stanton. Ms. Wexler, a short answer.
    Ms. Wexler. Thank you. Requiring law enforcement to obtain 
exculpatory evidence on behalf of the accused if defense 
counsel is unable to obtain it directly. This is a much bigger 
problem now that law enforcement is getting so much more data 
from the private sector, rather than seizing or searching it 
directly, in which case law enforcement would, in the process 
of collection, gain exculpatory information about flaws in the 
data or the method. If they buy it from the private sector, 
they don't get access to those flaws. So, Congress should 
impose some obligation on law enforcement to gain possession of 
exculpatory evidence and hand it to the accused.
    Mr. Stanton. Mr. Tolman?
    Mr. Tolman. I agree with the FISA reform, the warrant 
reform, and the privacy reform. I would add that you empower 
this, the Inspector General over DOJ, with more authority and 
capability to go after abuse when it occurs.
    Ms. Ross. Thank you, Mr. Chair, for your indulgence. I 
yield back.
    Mr. Stanton. Thank you. The Chair now recognizes Mr. 
Steube.
    Mr. Steube. Thank you, Mr. Chair.
    My questions are for Mr. Tolman. The FBI has purchased 
thousands of licenses for software to canvass social media 
postings. In April of 2021, FBI agents mistakenly raided the 
home of an Alaska couple in search of Nancy Pelosi's laptop 
from January 6th. This raid was partially because of bad or 
misleading information that they garnered from social media 
postings.
    Beyond the obvious privacy implications related to mass 
collection of online data, does the practice also lead to 
sloppy law enforcement and mistaken identities?
    Mr. Tolman. There's no question that the use and the 
overreliance on massive databases has produced great 
injustices, whether it be from targeting of political 
adversaries to the misidentification among persons of color, to 
you name it.
    So, the abuse is very prevalent, and it is growing. I would 
just caution Members of Congress that we only know the tip of 
the iceberg in terms of the abuse because we do not have enough 
transparency to understand it fully.
    Mr. Steube. Along those lines, it has been widely reported 
that January 6th defendants have received increased sentences 
and harsher treatment based on the political views that they 
expressed on social media posts. They aren't being punished for 
just their actions, but, also, for the beliefs that they held. 
Some have even been subject to increased sentences for daring 
to question the legitimacy of the 2020 election. Presumably, 
some or many of these posts were found through social media 
canvassing programs discussed in this hearing.
    Does this level of government surveillance open the door to 
government persecution based on ideology? Mr. Fitzgerald hit on 
some of the FISA issues you saw in the Russia collusion hoax 
that we dealt with. If you could comment on that?
    Mr. Tolman. There is a great potential, when utilizing all 
the data points that are now being collected, to actually work 
in reverse than what we think a criminal investigation would be 
in. That is to analyze the evidence, and then, pursue a 
particular target. Instead, what is happening is a target is 
identified, and then, they reverse-engineer the evidence that 
is necessary to justify their investigation. That's a problem 
no matter who's in power. It is a problem for abuse.
    Mr. Steube. I just want to, in the time that I have 
remaining, just kind of get your opinion generally on the 
Patriot Act. Then, I set it up with a couple of examples.
    There are specific reasons why Democratic Members of 
Congress, and Speaker Pelosi herself, have called Republican 
Members of Congress ``domestic terrorists.'' The reason for 
that is they can use the Patriot Act to surveil on people that 
are deemed domestic terrorists.
    I am aware of situations where Republican Members' staff 
who happened to be in or around the area on January 6th, 
because they work here were randomly picked up because the FBI 
were using the technological capabilities that they have and 
marking as to whose cell phone numbers were here, and then, 
randomly asking them to come and have questions from them.
    What is generally your perspective on the Patriot Act and 
the abuses that we have seen occur? Again, to your point that 
you just made, we really will not know the depth of all of 
those abuses until we have full transparency from the FBI and 
the DOJ, which we are obviously not going to get, certainly, 
under this administration. I would like to know, generally, 
what your feeling is on the Patriot Act and the abuses that we 
have seen, where they use the term ``domestic terrorist'' to 
surveil on individuals like Trump collusion hoax and FISA, and 
that sort of thing, to surveil on the American people.
    Mr. Tolman. Well, there's no question that, when the 
Patriot Act was passed and reauthorized in 2005, representation 
from Department of Justice and the FBI was that it would not 
reach and extend to citizens of the United States. That was 
with respect to most of its provisions, especially those that 
we hear so much about.
    You take delayed notice search warrants, for example. We 
were told that they would rarely request much of a delay in 
giving notice that they were searching a target's person or 
place or surveilling them.
    We learned later, through the Inspector General, that this 
was not the case; that Congress had been misrepresented to on 
its use. That abuse, I'm certain, has not stopped. Those that 
have that power need to be reined in, and if not, they will 
continue to utilize the tools that are given them.
    Mr. Steube. To your point, we are never going to know until 
there is transparency and documents, and the DOJ and the FBI 
are going to hide behind ongoing investigation, or that type of 
thing, to not give Congress the answers of what is really going 
on in these investigations.
    So, absolutely, Congress needs to Act as it relates to all 
these programs and the surveillance, and all these things 
related to this. So, I want to thank all the Witnesses for 
their time here today.
    I yield back.
    Mr. Stanton. Thank you very much, Mr. Steube.
    This concludes today's hearing. We thank all our Witnesses 
for participating. Mr. Chair, welcome back.
    [Whereupon, at 1:43 p.m., the Committee was adjourned.]

                                APPENDIX

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]
      

                 QUESTIONS AND RESPONSES FOR THE RECORD

=======================================================================

[GRAPHICS NOT AVAILABLE IN TIFF FORMAT]

                                 [all]