U.S. Spy Agencies Buy Vast Quantities of Americans’ Personal Data, U.S. Says
WASHINGTON—The vast amount of Americans’ personal data available for sale has provided a rich stream of intelligence for the U.S. government but created significant threats to privacy, according to a newly released report by the U.S.’s top spy agency.
Commercially available information, or CAI, has grown in such scale that it has begun to replicate the results of intrusive surveillance techniques once used on a more targeted and limited basis, the report found.
“In a way that far fewer Americans seem to understand, and even fewer of them can avoid, CAI includes information on nearly everyone that is of a type and level of sensitivity that historically could have been obtained” through targeted collection methods such as wiretaps, cyber espionage or physical surveillance, the report concluded.
The report was commissioned by Director of National Intelligence Avril Haines after Sen. Ron Wyden (D., Ore.) requested that the intelligence community detail and make public how it uses commercially available data. Ms. Haines agreed to the request during her 2021 confirmation hearing. The report was completed in January 2022; it was released to the public last week.
It represents the first known attempt by the U.S. government to examine comprehensively how federal agencies acquire, share and use commercially available data sets that are often compiled with minimal awareness by the public that its data is being collected and resold.
A series of articles in The Wall Street Journal has revealed that U.S. intelligence agencies, military units and federal law enforcement agencies buy and sell highly-revealing personal information on Americans.
In recent years, data brokers’ offerings have grown from basic address history and demographic information to include the trail of information generated by smartphone devices and apps, social-media platforms, automobiles and location trackers such as fitness watches.
Such detailed information can now “cause harm to an individual’s reputation, emotional well-being, or physical safety,” said the report, which urged the intelligence community to develop better policies, procedures and safeguards around its acquisition of such information.
Virtually anyone can purchase the data, and the marketplace is loosely regulated in the U.S., which has no comprehensive national privacy law.
Much of that data is sold to the government by vendors who claim it is “anonymized”—stripped of personal information such as names or addresses. But privacy advocates and researchers say that in the case of geolocation information on phones or cars, a name can often be inferred: Individuals typically park their cars at night and set down their phones at their homes. In the case of certain internet data, browsing behavior also can reveal personal information.
The report showed that the Office of the Director of National Intelligence appeared unaware which federal intelligence agencies were buying Americans’ personal data, Wyden said, reflecting the need for stronger oversight and transparency from within the executive branch. He said legislation also was needed to establish guardrails on U.S. government purchases, rein in data brokers that collect and sell the data and protect the data from being used by foreign adversaries. Like the U.S., other countries are widely thought to be acquiring commercial data sets for intelligence purposes, current and former U.S. officials have said.
“If the government can buy its way around Fourth Amendment due-process, there will be few meaningful limits on government surveillance,” Wyden said in a statement, referring to the U.S. Constitution’s protections against “unreasonable searches and seizures.”
The Office of the Director of National Intelligence didn’t respond to a request for comment about the report.
The report contained a paragraph that appeared to be marked classified but that was nevertheless included that acknowledges that the U.S. government has the capability to attribute personal identities to the data, and said few policies addressed the collection of such information.
The report cited “inconsistencies between how different [intelligence community] elements define and treat” information collected from commercial sources. Some agencies treat the data as foreign, and thereby lacking robust privacy protections.
Since the 1970s, the intelligence community has been circumscribed in using intrusive surveillance techniques on Americans without court oversight. However, data available for sale is generally considered “open source” and its collection doesn’t require special authorizations.