Last Friday, The Wall Street Journal revealed that the Department of Homeland Security has been using commercially available cell phone location records for immigration and border enforcement. US Immigration and Customs Enforcement, the paper reported, has used the data “to help identify immigrants who were later arrested,” while Customs and Border Protection uses it “to look for cellphone activity in unusual places.”

On the one hand, the news is kind of a duh. If you’ve been following privacy issues at all in recent years, you know that websites and smartphone apps are sharing your detailed location information with data brokers and advertisers. Why wouldn’t law enforcement want to take advantage of that trove of surveillance intel? On the other hand, while the extent and specific details of the DHS program remain unclear, its existence raises a much broader set of questions. There’s nothing stopping other law enforcement agencies from making use of these data sets. (The exception is Utah, which passed a 2019 privacy law requiring police to get a warrant for certain types of online data.) The Fourth Amendment is supposed to prevent government officials from tracking our every move. Can they really just buy their way around the Constitution?

The Fourth Amendment gives the people the right to be free from “unreasonable searches and seizures.” Applying that rule to location data generated by the devices we carry with us 24/7, however, is still very much a work in progress. The question first came up at the Supreme Court only two years ago, in Carpenter v. United States, and the answer was limited to a specific category of data known as cell site location information, or CSLI. To tie Timothy Carpenter to a string of robberies—of cell phone stores, neatly enough—the FBI in 2011 subpoenaed his cell-tower location records, which placed him near the scenes of the crimes. The government argued that it didn’t need to get a warrant because of the so-called third party doctrine, which says that you surrender any expectation of privacy when you share information with a third party.

The Supreme Court disagreed. In a landmark ruling, Chief Justice John Roberts sided with the court’s four liberals to hold that the third-party doctrine, which was established in the 1970s, simply doesn’t make sense for information as sensitive and revealing as CSLI. “When the government tracks the location of a cell phone it achieves near perfect surveillance,” Roberts’s majority opinion explained. Despite the sweeping language, however, the ruling was narrow: If the cops want to get seven days’ worth or more of individual location records from the likes of AT&T or Verizon, they need to come up with a warrant. Roberts left open what should happen in other scenarios, including cell-tower dumps, in which cops can request records of every mobile phone at a particular location over a certain time period.

Meanwhile, CSLI is far from the only type of location data available today, and wireless carriers are far from the only entities keeping track of our whereabouts. Software development kits embedded in thousands of apps, even ones that have no obvious need to know where its users are located, are gathering and selling that information across the digital advertising landscape. It comes not from cell tower pings but from things like GPS tracking and IP addresses. It’s purchased in bulk and often “anonymized,” or stripped of identifying info—although, as a recent New York Times report illustrated, it’s trivially easy to connect anonymized bulk location data back to individual cell phone users.

“If the Department of Homeland Security was going straight to the companies to get this stuff, there would be a bar on them voluntarily disclosing or selling it to DHS.” Nathan Freed Wessler, ACLU

The bigger twist here is that, unlike in Carpenter, DHS isn’t subpoenaing location records; it’s buying them from Venntel, a data broker that according to the Journal has ties to Gravy Analytics, a major adtech company. Does the Fourth Amendment, or any other legal protection, even apply to this type of transaction?

Nathan Freed Wessler, the ACLU lawyer who successfully argued Carpenter’s case at the Supreme Court, said there are at least two ways in which this arrangement could violate the law. The first concerns the companies originally gathering location data, rather than the government. Under the Stored Communications Act of 1986, companies that store and transmit user data are generally prohibited from “knowingly” sharing those records with the government. That, Wessler said, probably doesn’t apply to a broker like Venntel that doesn’t deal with consumers directly. But it could apply to the app makers who are passing data along to companies like Venntel, if they know it will eventually end up in the government’s hands.