ODNI Report on Commercially Available Information
The vast amount of Americans’ personal data available for sale has provided a rich stream of intelligence for the U.S. government but created significant threats to privacy, according to a newly released report by the U.S.’s top spy agency.
Commercially available information, or CAI, has grown in such scale that it has begun to replicate the results of intrusive surveillance techniques once used on a more targeted and limited basis, the report found.
[…]
It represents the first known attempt by the U.S. government to examine comprehensively how federal agencies acquire, share and use commercially available data sets that are often compiled with minimal awareness by the public that its data is being collected and resold.
The report is available here.
The Office of the Director of National Intelligence (ODNI) declassified and released the January 2022-dated report on Friday, following a request by Sen. Ron Wyden (D-OR) to disclose how the intelligence community uses commercially available data. This kind of data is generated from internet-connected devices and made available by data brokers for purchase, such as phone apps and vehicles that collect granular location data and web browsing data that tracks users as they browse the internet.
The advisers decry existing policies that automatically conflate being able to buy information with it being considered “public.” The information being commercially sold about Americans today is “more revealing, available on more people (in bulk), less possible to avoid, and less well understood” than that which is traditionally thought of as being “publicly available.”
Perhaps most controversially, the report states that the government believes it can “persistently” track the phones of “millions of Americans” without a warrant, so long as it pays for the information.
[…]
It is no secret, the report adds, that it is often trivial “to deanonymize and identify individuals” from data that was packaged as ethically fine for commercial use because it had been “anonymized” first. Such data may be useful, it says, to “identify every person who attended a protest or rally based on their smartphone location or ad-tracking records.” Such civil liberties concerns are prime examples of how “large quantities of nominally ‘public’ information can result in sensitive aggregations.”
Regulations have been slowly taking effect around the world which more accurately reflect these views. But there remains little national control in the U.S. over the collection and use of private data, either commercially or by law enforcement and intelligence agencies; and, because of the U.S.’ central location in the way many of us use the internet, it represents the biggest privacy risk. Even state-level policies — like California’s data broker law — are ineffectual because the onus continues to be placed on individual users to find and remove themselves from brokers’ collections, which is impractical at best.
Previously:
- Snowden Ten Years Later
- CDC Bought Phone Location Data
- For Sale: Your Private Browsing History
- Governments Buying Phone Location Data
- Private Intel Firms Buying Phone Location Data
Update (2023-12-19): Joseph Cox:
A section of the Navy bought access to a tool that gave the Pentagon “global” surveillance data via an adtech company that is owned by a U.S. military contractor, according to a Navy contract obtained by 404 Media. Beyond its global scale, the document does not explicitly say what specific sort of data was included in the sale. But previous reporting from the Wall Street Journalhas shown that the marketing agency and government contractor responsible are part of a supply chain of location data harvested from devices, funneled through the advertising industry, onto contractors, which then ends with U.S. government clients.
