For the first time, a freshly released government study that was previously classified indicates that the US intelligence establishment does indeed buy commercially available data on Americans. The Office of the Director of National Intelligence published a study outlining how the US government acquires, uses, and might also give personal data to foreign foes.
The paper continues by outlining the present legal foundation for privacy regulations in the US and describes how the government may be able to violate Americans’ civil liberties as a result of the ubiquitous availability of user data.
Data acquisition is a lucrative sector because, unlike the EU, the US lacks data protection legislation that would regulate the sharing or sale of Americans’ personal information. Federal laws do apply to some types of data, including medical (HIPPA), student (FERPA), consumer (FCRA), and VHS rental (VPPA) information, among others. The lack of access to, control over, or deletion of personal information under US law, however, poses a risk to both privacy and national security. Smartphone apps, websites, and moving objects that record a lot of location data are used to gather user data.
It’s nearly impossible to stop your electronic gadgets from continuously disclosing your personal information because cellphones and internet use are so engrained in daily life. This study was declassified at the request of US Senator Ron Wyden due to the fact that there are no privacy regulations that restrict how businesses and the government can exploit user data.
What is commercially available information?
Commercially available information (CAI), according to the ODNI report, is “information that is available commercially to the general public, and as such, is a subset of publicly available information.” Your location, credit history, insurance claims, criminal records, employment history, income, ethnicity, buying history, and personal hobbies are just a few examples of this data.
The research claims that although some of this information is disclosed by applications and websites as not being connected to your identity, it is still feasible to “deanonymize [anonymous data] and identify individuals, including US persons,” using reverse engineering.
Due to CAI’s commercial availability, the data can be obtained via a third-party data broker, usually in return for cash. These data brokers are described in the report as organisations that manage sophisticated databases including user information about US people.
But cookies are another source of publicly accessible information that data brokers use, such as voting registration, bankruptcy information, and web browsing habits. Most of the time, people are unaware that this information is available to the public and that data brokers buy it.
Website registration and cookies are used by data brokers to track consumers’ online activity and sell the information to marketers for the purpose of retargeting them with advertising. User data becomes a very valuable commodity as a result of this commercial practise.
How does the US government use CAI?
According to the paper, CAI can be helpful to US intelligence services when it is collected alone, paired with other material that is readily accessible to the public, or when it is examined by both people and robots.
According to the ODNI report, the US intelligence community obtains a sizable volume of CAI for “mission-related purposes” and occasionally uses social media data to support these goals.
The US intelligence community purchases CAI through contracts, some of which are still secret. Six of the contracts that aren’t classified are described in the report, while one is still redacted.
Another organisation that purchases geolocation data gathered from smartphones is funded by the Defence Intelligence Agency (DIA). The DIA then obtains the location data and determines if it originates from the US or a foreign country. The FBI and its law enforcement agencies also obtain CAI.
Contracts to purchase CAI have been made with the US Navy, Treasury Department, Department of Defence, and Coast Guard. In the past, both Homeland Security and the IRS attempted to buy location data to follow tax fraudsters and undocumented immigrants, respectively.
Can CAI be used by foreign actors?
Apparently, a Duke University research discovered that three data brokers, who advertise their services, can give information identifying US military personnel. These kinds of data could be utilised by foreign actors to target law enforcement officials, jurists, elected officials, diplomats, and intelligence agents.
Inappropriate buyers or thieves of CAI may potentially assist adversaries in influencing US elections.
Despite the fact that CAI is accessible to the general public, it may be utilised to access private information about a person. The General Data Protection Regulation, which governs data privacy in the EU, defines sensitive information as things like a person’s race, ethnicity, politics, religion, and biometric data.
All of those examples can and are taken from US citizens and collected by data brokers.
What does this mean for your private information?
The majority of your personal information is spread out across the internet and in the possession of data brokers. Your information may occasionally be stolen and sold on the dark web after being obtained from these brokers’ databases. In other cases, government organisations buy your data from brokers.
Although you can refuse when websites and applications ask for access to your data, such as your contacts, media, and location, it’s nearly impossible to use a social media site or streaming service without providing your email address, phone number, or physical address.
The ODNI emphasised how crucial it is to urge the federal government to tighten the legal foundation for the protection of user data in the United States. These safeguards include restricting the amount of information that private corporations can gather, securing data from foreign adversaries, and monitoring the government’s authority to ensure that Americans’ rights are not being violated.
