Data Privacy

When Surveillance Becomes Science: The Data the FDA Should Not Trust

In 2024, the Federal Trade Commission (FTC) banned a data broker called X-Mode Social from selling sensitive location data, charging that the company sold precise phone location data that could be used to track visits to reproductive health clinics, addiction treatment centers, and other sensitive sites. 

In 2024, the Federal Trade Commission (FTC) banned a data broker called X-Mode Social from selling sensitive location data, charging that the company sold precise phone location data that could be used to track visits to reproductive health clinics, addiction treatment centers, and other sensitive sites. According to the FTC’s complaint, one buyer was a private clinical research company, which paid for data about people who had visited medical offices and then pharmacies or infusion centers around Columbus, Ohio. That detail deserves a second read: The clinical research world was already shopping in the surveillance economy.

X-Mode was not an outlier. The FTC has since moved against Gravy Analytics, which drew virtual boundaries around buildings to build and sell lists of people who attended events related to medical conditions, and Mobilewalla, which harvested location data from online advertising auctions and sold data tracking people to health clinics. 

The FTC’s charge, repeated across these cases, was blunt: Collecting and selling health-revealing data without meaningful consent is an unfair practice, and a violation of federal consumer protection law.

Here is the uncomfortable part: At the very moment one federal agency was declaring this data illegal, another was opening its doors wider to it.

The U.S. Food and Drug Administration (FDA) has spent the past decade embracing real-world evidence, meaning health data drawn from insurance claims, electronic health records, registries, apps, and wearables, rather than from traditional clinical trials. In December 2025, the agency announced that it will accept such evidence for certain device applications without requiring identifiable patient-level records. That opens the door to commercial databases of de-identified records, records scrubbed of names and other identifying details, and the agency signaled that it intends to consider the same change for drugs. Essentially, the FDA is paving the way for drug approvals that rest on data assembled and sold by commercial brokers.

When the FDA evaluates this evidence, it asks whether the data is relevant and whether it is reliable. It does not ask where the data came from, or whether collecting it was legal. Nobody else in the pipeline asks either.

The path from illegal surveillance to regulatory evidence runs through a series of transformations. Data is stripped of names to satisfy privacy rules. It is run through software that swaps identities for scrambled codes so records can be linked across databases.

It is then pooled by commercial aggregators into polished products marketed to drug and device companies as regulatory-grade evidence. Each step makes the data look cleaner. No step asks whether the original collection was lawful.

When the FDA accepts the end product, the government transforms surveillance into science and contraband into evidence.

I call this “epistemic laundering,” and the parallel to money laundering is deliberate. Dirty money passes through legitimate-looking transactions until its origins disappear, and dirty data passes through de-identification and aggregation until its origins disappear. When the FDA accepts the end product, the government transforms surveillance into science and contraband into evidence.

To be clear, this is a structural gap, not a scandal of intent. The FDA cares deeply about data integrity, and its existing rules catch fabrication and sloppy record-keeping well. Those rules were simply never designed to ask the provenance question, because the system never anticipated that health evidence might originate in conduct another federal agency has condemned.

Criminal courts confronted a version of this problem long ago. Under the fruit of the poisonous tree doctrine, evidence obtained through an illegal search cannot be used at trial, because letting the government profit from its own illegality corrupts both the incentives of investigators and the integrity of the court. 

The FDA should adopt the administrative cousin of that rule: Real-world evidence derived from collection practices the FTC has found unlawful, or practices materially like them, should not count in approval decisions, and the burden should fall on the sponsor to show that its data was lawfully sourced. An FTC order marks the floor, not the ceiling: escaping enforcement so far does not make a broker’s data clean.

This is less radical than it sounds. The FDA already refuses to review applications tainted by fraud, and it has rejected all study data from testing laboratories caught submitting falsified results. The principle is settled: When the process that produced the evidence is corrupted, the evidence cannot support approval. Illegally surveilled data belongs in that category.

In one respect, the case is stronger here than in criminal law. In the criminal setting, the evidence is usually accurate; the objection is how the police got it. Covertly collected health data has an added defect: It is distorted in two ways.

The sample is skewed: It over-represents people who never noticed the tracking and omits everyone who avoided or evaded it. And the behavior is skewed: People who fear their clinic visits are being watched delay care, switch providers, or stay away entirely, so the data records surveillance-shaped conduct, not typical patient behavior.

De-identification cures none of this. Stripping out names does not restore the consent people never gave, does not un-skew the sample, and does not stop a location trail precise enough to mark a clinic doorway from being traced back to a person. Where someone seeks care is among the most intimate facts about them, which is why the FTC treated its covert collection as a consumer injury.

Artificial intelligence raises the stakes. More data is not automatically better evidence: A model trained on a skewed sample does not average the skew away; it learns the skew and repeats it in every prediction.

Would such a rule deprive dying patients of cures? No. A sponsor whose evidence fails the provenance test remains free to prove safety and effectiveness with lawfully collected data. The rule I’m suggesting does not raise the scientific bar for approval. It closes a side door.

Clean evidence is not a barrier to health innovation. Clean evidence is health infrastructure. The FDA cannot ask the public to trust algorithmic medicine while its evidence rests on practices the government itself has outlawed. I develop the full argument in a forthcoming article in the American Journal of Law & Medicine.

About the author

  • Gary Hsuanyu Liu

    Gary Hsuanyu Liu holds a J.S.D. from Washington University School of Law, where he held fellowships at the Cordell Institute for Policy in Medicine & Law and the Bioethics Research Center at the School of Medicine. His scholarship examines health data governance, the regulation of medical artificial intelligence, and fiduciary approaches to data law.