Scammers targeting the elderly, foreign adversaries spreading propaganda and law enforcement agencies seeking a Fourth Amendment workaround are just some of the reasons lawmakers from both parties are scrutinizing the shady world of third-party brokers that buy and sell personal data on hundreds of millions of Americans each year.

High-ranking members of the Senate Finance Committee are the latest on Capitol Hill to seek guidance from privacy experts for reining in the largely unregulated industry. Democrats and Republicans have grown increasingly concerned about third-party data brokers in recent years, but efforts to regulate the industry have yet to pass the House or Senate.

Sen. Bill Cassidy, R-La., the ranking member of the Finance Subcommittee on Fiscal Responsibility and Economic Growth, said at a hearing last week that lawmakers must consider “what data is appropriate to collect, what limits should be placed on the groups that collect that data, and restrictions on how that data is sold or transferred to others.”

“Should we allow a list of military personnel to be sold to foreign adversaries? Should we allow a list of domestic abuse survivors to be sold to domestic abusers?” Cassidy said, referencing some of the most vulnerable groups that can be exposed by third-party data brokers.

Experts say the sheer amount of data most Americans share on a daily basis, often without knowing it, means that almost anyone can become a victim.

“Data brokers can track and sell your race, religion, gender, sexual orientation, income level, how you vote, what you buy, what you search online and where your kids and grandkids go to school,” said Justin Sherman, a research fellow who studies the data brokerage industry at Duke University’s Sanford School of Public Policy.

Sherman’s research has revealed brokers “widely advertising data on hundreds of millions of Americans, their sensitive demographic information, political preferences and beliefs and whereabouts in real-time locations, as well as data on first responders, students, government employees, and current and former members of the U.S. military,” he said.

Sherman laid out a laundry list of the ways scammers and criminals could capitalize on services offered by third-party data brokers. 

“There is little in U.S. law stopping data brokers from collecting, publishing and selling data on victims and survivors of intimate partner violence,” he said. “Data brokers also advertise data on millions of Americans’ mental health conditions. Criminals already scam senior citizens using data broker data. They could similarly buy data on seniors with Alzheimer’s and dementia to steal away their life savings. Foreign governments could even acquire this data for intelligence purposes.”

Data brokers benefit from a client base so wide and diverse that it includes law enforcement agencies as well as criminals. According to a new report by the nonpartisan Center for Democracy and Technology, law enforcement and intelligence agencies have spent tens of millions on location, communications, biometric, and license plate data.

Law enforcement buys data too

“There is no clear limit on the potential availability of commercially acquired data that would typically require legal process to obtain,” the report said.

Law enforcement agencies typically acquire such personal data by exploiting a loophole in the Electronic Communications Privacy Act that requires them to meet certain legal standards when requesting data from a service provider, but not from a third-party broker. 

To address the loophole, Democrats and Republicans in the House and Senate have introduced legislation that would require law enforcement and intelligence agencies to get a search warrant before buying data from a third-party seller.

“The Fourth Amendment’s protection against unreasonable search and seizure ensures that the liberty of every American cannot be violated on the whims, or financial transactions, of every government officer,” said Sen. Rand Paul, R-Ky., who is sponsoring the Senate bill with Oregon Democrat Ron Wyden.

In the 116th session of Congress, lawmakers authored bills to regulate the third-party data broker industry as a whole, but those bills have yet to be reintroduced.

Sherman suggested a three-pronged approach: Control the third-party sale of data to foreign companies, citizens and governments, limit or ban the sale of health and location data, and stop companies from using algorithms to predict or infer data that they would no longer be allowed to collect.

“Congress can and should act now to regulate the data brokerage ecosystem and its threats to consumers, civil rights and national security,” he said.