Do you think the government needs a warrant to collect intimate data about you? Or that you’d have to at least be suspected of doing something wrong first?
A newly released report from the Office of the Director of National Intelligence (ODNI) details how the intelligence community buys significant amounts of data about you from data brokers who track almost everything people do on their phones and computers. This is data the government wouldn’t otherwise be able to obtain on a mass scale or without a court order. But because it’s available to purchase, there’s a legal gray area that the government happily takes advantage of. It’s using your money to do it, too.
The report is also an illustration of how a lack of laws prohibiting the government from buying this data or preventing companies from acquiring and selling it in the first place has created an extensive surveillance state.
“Americans should be furious their tax dollars are being used to buy their own personal information, even if they’re not suspected of any crime,” Sen. Ron Wyden (D-OR) told Vox.
This is kind of Wyden’s thing. The Senate’s biggest privacy hawk has been trying to pass a bill that would forbid the government from buying data on its citizens for years. He also pushed for this report’s creation and release.
The ODNI report comes from a senior advisory panel established by director of national intelligence Avril Haines. Wyden asked Haines at her January 2021 confirmation hearing if she would agree to be transparent about the intelligence community’s secretive purchase of Americans’ data, to which she answered that yes, she would “try to publicize, essentially, a framework that helps people understand the circumstances under which we do that and the legal basis that we do that under.”
This report, which dates back to January 2022, is an effort to do just that. But it was only recently declassified, and then it was released to the general public on June 9. Haines said in a statement to Vox that she “readily agreed” it should be made available in an effort to be as transparent as possible.
The report specifically addresses the intelligence community’s handling of “Commercially Available Information,” or CAI, which it defines as data that can be purchased by the general public. In the pre-internet era, this data was far less comprehensive and invasive, so this practice was much less problematic. But now everyone has trackers in their phones and on the websites they visit, which can and do collect data about huge swaths of their personal lives. That includes things that most people would probably prefer random companies and the government not know, including sexual preferences, political beliefs, religion, whether they’re following Covid curfews, or if they had an abortion. Data brokers can sell this data off to marketers — or the government, or staunch Catholics trying to root out gay priests, or even investigative journalists looking into how easy it is for anyone to buy location data.
“In a way that far fewer Americans seem to understand, and even fewer of them can avoid, CAI includes information on nearly everyone that is of a type and level of sensitivity that historically could have been obtained, if at all, only through targeted (and predicated) collection,” the report says. “That could be used to cause harm to an individual’s reputation, emotional well-being, or physical safety.”
Or, as Patrick Toomey, deputy director of the ACLU’s National Security Project, put it: “Intelligence agencies are buying massive amounts of our sensitive information from data brokers, giving the government the power to intrude on our private lives like never before.”
As the report explains, the US intelligence community “currently acquires a significant amount of CAI,” while acknowledging that this has “important risks and implications for U.S. person [sic] privacy and civil liberties” because it can reveal “sensitive and intimate information about individuals.”
And we are talking about individuals here. Despite the data broker industry’s frequent claims that the data it sells is anonymized, even the DNI admits that it’s “often possible” to identify people through it. What’s often not possible is for those people to know that this data is being collected from them or to stop that collection, let alone prevent it from being sold off to, say, the FBI. Because the government considers this to be “publicly available” and there’s nothing legally saying otherwise, it’s perfectly fine for it to buy the data that it otherwise may have needed a court order to obtain.
“The government avoids the normal oversight and privacy protections that come with requesting information from companies via a court order, and then it spends untold taxpayer dollars for the privilege,” Wyden said.
We already knew, to an extent, that these agencies buy data. You can even see it for yourself on government spending transparency sites. For example, there are millions of dollars worth of contracts with Babel Street, which specializes in selling data to the government.
But, as Wyden’s comment about it being an “untold” amount of money suggests, we don’t have a full accounting of what’s being bought, who’s buying it, and why. So the first recommendation in the report is to catalog what’s being bought and how it’s being used across the intelligence community, or IC, which includes military intelligence, the FBI, the CIA, and the DHS. That kind of accounting doesn’t exist now.
“The IC does not currently have sufficient visibility into its own acquisition and use of CAI across its 18 elements,” the report says.
The potential good news is that there are other recommendations in the report. A big one is for agencies to adopt standard procedures and policies for how they handle commercially available data that take into account how sensitive some of that data is. The report offers up one agency’s current practices as a good example to follow, although the name of the agency and what those practices are have been redacted. Haines said her office is currently working to implement those recommendations and plans to release as much of that framework to the public as possible when it’s ready.
That’s better than nothing. Wyden says such recommendations “would represent a major improvement over the lawless status quo,” but they’re also not legally binding. Creating laws that protect Americans’ data privacy is Congress’s job, but they’re few and far between. So the ACLU will continue to demand them. “Congress must stop this rampant spying,” Toomey said.
The report also underlines the extent to which the data brokers collecting commercially available data are invading our privacy and how little control we have over them. This is, after all, a multibillion-dollar industry that’s loosely regulated and well-incentivized to gobble up as much information about as many people as possible. The ODNI even admits, multiple times in the report, that these brokers can get much more “publicly available information” than the intelligence agencies it oversees can.
For all of the report’s stated concern over the potential abuses of the copious amounts of information it buys up, it’s clear that the intelligence community doesn’t want to actually stop buying it. The data is “extremely and increasingly valuable and important for the conduct of modern intelligence activity,” the report says. It also claims the intelligence community needs “certain access to CAI” or it will be at a “significant disadvantage vis a vis foreign adversaries and competitors” who can and do buy it, too. In other words, the fact that this data is so comprehensive and so widely available, including to other governments, is another reason why the US should keep on buying it.
“The government would never have been permitted to compel billions of people to carry location tracking devices on their persons at all times, to log and track most of their social interactions, or to keep flawless records of all their reading habits,” the report says. “Yet smartphones, connected cars, web tracking technologies, the Internet of Things, and other innovations have had this effect without government participation.”
These avenues for data collection aren’t going to go away; there will only be more of them in our increasingly computerized future. But that doesn’t mean they have to be allowed to collect and sell that data, or that the industry can’t have any legal guardrails. Congress can do something about all of that if it really wants to. The question is why it still hasn’t.