For years, the U.S. government has bought information on private citizens from commercial data brokers. Now, for the first time ever, American spymasters are admitting that this data is sensitive—but they’re leaving it up to the spy agencies on how to use it.

Last week, Director of National Intelligence (DNI) Avril Haines released a “Policy Framework for Commercially Available Information.” Her office oversees 18 agencies in the “intelligence community,” including the CIA, the FBI, the National Security Agency (NSA), and all military intelligence branches.

In the 2018 case Carpenter v. United States, the Supreme Court ruled that police need a warrant to obtain mobile phone location data from phone companies. (During the case, the Reason Foundation filed an amicus brief against warrantless snooping.) As a workaround, the feds instead started buying data from third-party brokers.

Haines’ new framework claims that “additional clarity” on the government’s policies will help protect Americans’ privacy. Yet the document is vague about the specific limits. It orders the agencies themselves to come up with “safeguards that are tailored to the sensitivity of the information” and write an annual report on how they use this data.

As national security journalist Spencer Ackerman points out in his Forever Wars newsletter, the framework doesn’t require the feds to delete old purchased data. Earlier this year, Sen. Ron Wyden (D–Ore.) called on the NSA to purge all data that it bought without a warrant and without following the Federal Trade Commission’s privacy policies.

“The framework’s absence of clear rules about what commercially available information can and cannot be purchased by the intelligence community reinforces the need for Congress to pass legislation protecting the rights of Americans,” Wyden tells Reason. “The DNI’s framework is nonetheless an important step forward in starting to bring the intelligence community under a set of principles and policies, and in documenting all the various programs so that they can be overseen.”

The senator says he will keep working to ensure “that Congress is fully informed of all these programs.” He and Rand Paul (R–Ky.) have been trying to pass the Fourth Amendment Is Not For Sale Act, which would ban buying data from third-party brokers. Although the bill passed the House of Representatives last month, the Biden administration opposes it.

Wyden has been aggressively pushing for transparency on data purchases over the past few years. In 2021, he uncovered that the Defense Intelligence Agency was buying Americans’ smartphone location data. That same year, he sent a letter to Haines and CIA Director Bill Burns complaining about a secretive CIA data collection program. (In an Orwellian turn, the letter itself was classified until 2022.) This year, Wyden revealed more details on NSA data purchases.

Some of this data is collected and sold directly by the apps. For example, an intelligence company called X-Mode once paid MuslimPro, an app that offers a daily prayer calendar and a compass pointing towards Mecca, to include a few lines of location tracking code. X-Mode then sold the data to U.S. government agencies. MuslimPro claims that it did not intend to sell the data to the government and ended the arrangement after the story broke.

In other cases, the data is siphoned from advertising markets. Every time a user opens a website with paid advertisements, their location and attributes appear on a real-time bidding (RTB) exchange, a virtual auction where companies buy ad space. Data brokers posing as advertisers scrape the listings for information on users.

“Any government with a halfway decent cyber intelligence program is participating in these RTB exchanges, because it’s such an immensely valuable source of data,” says Byron Tau, author of Means of Control: How the Hidden Alliance of Tech and Government Is Creating a New American Surveillance State.

As a demonstration of how powerful RTB data is, an intelligence contractor used data from the dating app Grindr to track gay government employees from their offices to their homes, Tau reported in his book. Another firm called Near Intelligence used RTB data to help anti-abortion groups track women who visited Planned Parenthood clinics.

Earlier this year, WIRED revealed that Near Intelligence had used RTB data to build a dossier on sex trafficker Jeffrey Epstein’s associates, tracing mobile phone owners from his private island to addresses in the continental United States and other countries.

The new U.S. intelligence policy is “sort of a recognition that this data is actually sensitive, which is a bit of a change,” Tau notes. “Early on, government lawyers were saying basically it’s anonymized, so no privacy problem here.”

For example, U.S. Customs and Border Protection insisted in a 2018 privacy assessment that the agency “receives only anonymized data from commercial sources…with no associated PII,” or personally identifiable information. But the border cops have used that supposedly anonymous data to track and arrest specific people.

Lawyers for the Internal Revenue Service, on the other hand, have argued that users voluntarily handed over the information, so the government is free to use it. Tau points out that users don’t really know how their data is being resold, and even the RTB exchanges themselves aren’t supposed to be used for data scraping.

“A lot of these companies that are collecting data from the global population don’t have a real consumer relationship” with the people they’re spying on, Tau says. “Unless you know how to decompile software and you’re technically savvy, you can’t even make informed choices.”