Kash Patel Told Congress the FBI Buys Your Location Data. No Warrant Needed.

The FBI director confirmed it publicly for the first time in three years: the bureau is actively purchasing Americans' location data from commercial brokers, and it doesn't need a judge's signature to do it. The Fourth Amendment has a loophole the size of a $100 billion industry.

On March 18, 2026, FBI Director Kash Patel sat before a Senate hearing and said something that should have made every American reach for their phone. When asked by Senator Ron Wyden (D-OR) whether the FBI would commit to not purchasing Americans' location data without a warrant, Patel declined.

"We do purchase commercially available information that is consistent with the Constitution and the laws under the Electronic Communications Privacy Act - and it has led to some valuable intelligence for us," Patel said, per reporting by TechCrunch and Politico.

That answer is the story. Not because government surveillance is new - it isn't. But because the last FBI director, Christopher Wray, testified in 2023 that the bureau was not actively purchasing location data. Now the current director is confirming it is. Actively. The tap was turned back on, and this is the first public acknowledgment.

How a 1986 Law Became the Government's Best Friend

The Electronic Communications Privacy Act was signed into law by Ronald Reagan. The Soviet Union still existed. The first cell phone call had been made three years earlier. Email was a novelty used by academics. Congress wrote a law governing electronic surveillance for a world where "location data" meant asking someone where they were.

ECPA did not contemplate a world where every phone silently broadcasts precise GPS coordinates to dozens of apps, where those apps sell access to advertising networks, and where data brokers package all of it into dossiers available for purchase by anyone with a budget - including federal law enforcement agencies who don't want to bother with a judge.

The Fourth Amendment protects Americans against "unreasonable searches and seizures." The Supreme Court's 2018 decision in Carpenter v. United States held that the government needs a warrant to obtain historical cell-site location data from phone carriers. But that ruling was specifically about carrier data - the records kept by your phone company. It said nothing about commercially purchased data from third-party brokers.

The FBI's position, which Patel essentially confirmed in his testimony, is that buying "commercially available" data sidesteps constitutional warrant requirements entirely. The logic: if a private company can sell it, the government can buy it. Your phone app's terms of service - buried in 3,000 words of legalese you tapped "agree" on - waived your privacy from federal surveillance.

As Senator Wyden put it after Patel's testimony: buying information on Americans without a warrant is an "outrageous end-run around the Fourth Amendment." The FBI has never had to defend this theory in court. No judge has ever ruled on whether the warrantless commercial purchase of precise location history violates the Constitution. The government has simply done it and not told anyone.

The Pipeline: From Your Phone to Federal Databases

The mechanics of how your phone's location ends up in a federal database are worth understanding precisely, because the chain is so diffuse that no single actor looks obviously malicious.

Step one: you download an app. Maybe it's a weather app, a game, a flashlight, a discount coupon aggregator. The app requests location permission - you grant it, because that seems reasonable for a weather app. The app's code includes an SDK (software development kit) from an advertising network. That SDK silently transmits your location - with timestamp, device ID, and often your advertising identifier - back to the ad network's servers.

Step two: the ad network uses this data for "real-time bidding" (RTB), the auction system that determines which ad appears when you load a webpage or open an app. Every time an ad loads, a packet of your data - including precise location - is broadcast to hundreds of potential ad buyers simultaneously. The winning buyer sees the data. But so do all the losers. That broadcast is the source. Surveillance firms intercept this RTB stream and harvest location data without ever needing a relationship with the original app.

Step three: data brokers aggregate this. They match device IDs to real identities using email addresses, phone numbers, and other cross-referencing techniques. They build historical location profiles - where you sleep, where you work, where you worship, who you meet with. They package this into queryable databases and sell subscriptions.

Step four: federal agencies buy access. A documented example: U.S. Customs and Border Protection purchased a tranche of data sourced from RTB services, according to a document obtained by 404 Media in 2024. CBP used it to track people's movements at and near the border. No warrant. No court order. A budget line and a data contract.

"Government agencies typically have to convince a judge to authorize a search warrant based on some evidence of a crime before they can demand private information about a person from a tech or phone company. But in recent years, U.S. agencies have skirted this legal step by purchasing commercially available data." - TechCrunch, March 18, 2026

Every Agency Is Doing It

The FBI is not alone. It is not even close to being the largest purchaser. What Patel's confirmation establishes is that the practice has been normalized to the point where the director of the FBI will simply acknowledge it in public testimony as an unremarkable fact of law enforcement life.

Immigration and Customs Enforcement (ICE) has used commercial data to track undocumented immigrants. The agency purchased access to a database of utility records that it used to map the addresses of people not in federal databases - effectively a surveillance operation that bypassed normal legal process. Vice News reported in 2020 that ICE paid data broker LexisNexis more than $20 million for tools that included location and identification services.

The IRS Criminal Investigation division purchased access to a product called Venntel's location data tool in 2020 and 2021, spending approximately $2.5 million, according to contracts reviewed by BuzzFeed News. The IRS characterized it as a tool for tracking financial criminals. Critics noted that it could track anyone.

The Drug Enforcement Administration has used commercial location data to track suspects without obtaining warrants, a practice the ACLU has documented through FOIA litigation. The DEA's specific spending figures remain largely classified, but contract databases show payments to multiple data broker firms over the past decade.

The Department of Homeland Security's Science and Technology Directorate published a 2021 report testing multiple commercial location data providers for "mission utility" - essentially a vendor evaluation for surveillance tools. The report evaluated how accurately brokers could identify a device's home and work locations, predict future movements, and identify associates.

And U.S. Customs and Border Protection, which sits under DHS, has the most documented history. The 404 Media investigation revealed CBP's use of RTB data. A 2020 report from the Customs and Border Protection Office of Inspector General found the agency had used location data services from a company called Venntel without completing a required privacy impact assessment.

The Timing Problem: Why Patel's Admission Matters Now

Context matters here. In January 2023, then-FBI Director Christopher Wray testified before the Senate Intelligence Committee and told senators that the FBI was not currently purchasing location data from commercial data brokers. He acknowledged the bureau had done so in the past, but presented the practice as discontinued.

Wyden, who has been fighting warrantless data purchases for years, appears to have already known this was false - or that the policy had reversed. His March 18, 2026 question to Patel was not fishing; it was confirmation-seeking. Patel gave him what he needed.

The significance is this: if the FBI stopped and then restarted, the question is when and why. Intelligence community critics note that the Trump administration's emphasis on aggressive immigration enforcement, border security, and political surveillance creates strong institutional incentives to maximize warrantless data collection. The return of Kash Patel - a loyalist with a documented history of weaponizing institutional power for political ends - as FBI director makes the timing of this restart more significant, not less.

Senator Wyden introduced the bipartisan Government Surveillance Reform Act just one week before Patel's testimony, along with Senators Mike Lee (R-UT), Zoe Lofgren (D-CA), and Davidson (R-OH). The bill would require court authorization before any federal agency can buy commercial data on Americans. It is one of the more concrete attempts in years to actually close this loophole.

The Technical Layer: Real-Time Bidding as a Surveillance Infrastructure

The real-time bidding system deserves more attention than it gets in these conversations, because most people understand it as "the thing that makes ads follow you around the internet." That framing is accurate but dramatically undersells the surveillance infrastructure that RTB has inadvertently constructed.

Every time you load an app or webpage that contains advertising, a bid request is broadcast - often within 100 milliseconds - to hundreds of potential advertisers simultaneously. That bid request contains: your device's advertising ID (a persistent identifier tied to you), your precise GPS location (often accurate to 5-10 meters), the time, and often additional data including app usage history and behavioral signals.

The advertiser who wins the auction buys your eyeballs. But every advertiser who received the bid request also received your data. They can store it. Companies have built entire business models around harvesting this discarded bid-stream data at scale.

Broker firms like Babel Street, Venntel, X-Mode (now Outlogic), and Veraset have built databases of billions of location pings derived from this system. They market these as "mobility analytics" and "audience intelligence" tools. They sell to retailers, hedge funds, urban planners - and government agencies.

The scale is genuinely difficult to comprehend. Outlogic, in a 2022 FTC submission, claimed its database contained location data for 250 million devices in the United States. That is roughly 75% of the U.S. population tracked at some level of fidelity. On a typical day, a data broker like this might process hundreds of billions of location pings from the RTB ecosystem alone.

There is a growing technical defense: app stores have introduced "approximate location" permissions, and privacy-focused operating system features like iOS's App Tracking Transparency framework have reduced the precision and volume of some data collection. Android's equivalent measures have been less aggressive. But these are partial mitigations, not solutions. The RTB system itself - which operates at the network layer before your device's privacy settings can intervene - remains largely unaddressed.

Apple, Google, and the Platform Responsibility Question

The two companies that control the smartphone duopoly bear significant responsibility for this situation, a point that rarely gets the attention it deserves when discussions focus on data brokers and federal agencies.

Apple's App Store policies theoretically prohibit apps from selling location data to third parties. In practice, enforcement has been inconsistent. A 2020 investigation by the New York Times documented multiple App Store apps sharing precise location data despite terms-of-service prohibitions. Apple has taken enforcement actions against specific apps, but the RTB SDK ecosystem has proven difficult to fully police because the data exfiltration often happens at a layer that isn't obviously visible in app review.

Google's situation is more complex. Android's more open architecture has historically made it easier for aggressive data collection. The company's own advertising business depends on the RTB ecosystem. Google has announced various "Privacy Sandbox" initiatives designed to replace third-party tracking identifiers, but these efforts have faced antitrust scrutiny and have moved slowly. The advertising ID that fuels much of the broker ecosystem remains active on hundreds of millions of Android devices.

The companies' positions are structurally uncomfortable: Apple profits from App Store revenue generated by apps that engage in the very data collection its policies nominally prohibit. Google's business model is fundamentally dependent on the targeted advertising ecosystem that feeds broker databases. Real reform at the platform level would require both companies to accept significant revenue impacts, which creates obvious incentives to move slowly and incompletely.

What Happens Next: Reform, Litigation, or Status Quo

Three paths are available from here: legislative reform, judicial rulings that extend Carpenter's logic to commercially purchased data, or continued status quo where agencies buy what they want and nobody knows.

The GSRA is the most credible current legislative vehicle. Its bipartisan co-sponsorship is significant - having both Wyden and Lee on a bill suggests it isn't purely partisan positioning. But the bill faces headwinds from an administration that has demonstrated no particular interest in constraining surveillance powers, and from Senate leadership that has historically been reluctant to take up surveillance reform except when forced by expiring authorities.

The judicial path is unpredictable but potentially powerful. Carpenter v. United States was decided on a 5-4 vote and established that the third-party doctrine - the principle that you lose constitutional protection over information you share with third parties - has limits when technology enables unprecedented surveillance. The majority opinion specifically flagged that future cases might require additional doctrinal development.

A case directly challenging the government's purchase of commercial location data could extend Carpenter's logic. The ACLU has been building toward such litigation for years. The challenge is getting a case with the right facts and a plaintiff with standing - typically requiring someone who was actually surveilled using commercially purchased data and suffered some harm as a result. Those cases are difficult to construct because the government almost never discloses when broker data contributed to an investigation.

The most likely immediate outcome is continued status quo. Patel's testimony was notable precisely because it was unusually candid - but candor doesn't produce change. Congress may hold more hearings. The GSRA may advance or stall. In the meantime, the FBI continues buying. CBP continues buying. ICE continues buying. And your phone continues broadcasting.

"When asked by U.S. Senator Ron Wyden if the FBI would commit to not buying Americans' location data, Patel said that the agency 'uses all tools - to do our mission.'" - TechCrunch, March 18, 2026

Wyden has described Patel's position as an "outrageous end-run around the Fourth Amendment." From a constitutional theory perspective, he is correct - but "outrageous" and "unconstitutional" are different things until a court says so. The government has never had to defend this practice to a judge. It has simply relied on the fact that most Americans don't know it's happening, that the legal framework is 40 years old, and that the data broker ecosystem has made the practice so normalized that calling it surveillance sounds alarmist.

It isn't alarmist. It is a precise description of what the FBI director confirmed to the United States Senate on March 18, 2026.

The core issue is not partisan. Surveillance reform coalitions have historically included libertarian conservatives and privacy-focused progressives. The GSRA's bipartisan sponsorship reflects this. What has consistently blocked reform is not ideology - it's the institutional interest of agencies that benefit from the status quo, and a Congress that finds it easier to defer than to legislate.

The question Patel's testimony poses is simple: do Americans have a right to move through their own country without the FBI tracking their movements via their phone? The bureau says yes - it just requires no legal authorization to do so. Senator Wyden says no. The Supreme Court may eventually have to decide. Until then, the data broker industry intermediates between your location and your government, charging both sides for the service.