President Biden’s Executive Order: No More Sales of US Data to China and Russia – A Daring Move.

Dell Cameron

US president Joe Biden will sign an executive order on Wednesday aimed at preventing a handful of countries, including China, North Korea, and Russia, from purchasing sensitive information about Americans through commercial data brokers in the United States.

Administration officials say categories of sensitive data, including personal identifiers, precise location information, and biometrics—vital tools for waging cyberattacks, espionage, and blackmail operations against the US—are being amassed by what the White House is calling “countries of concern.”

Biden administration officials disclosed the order to reporters in advance during a Zoom call on Tuesday and briefly took questions, on the condition that they not be named or referred to by job title.

The order will have few immediate effects, they said. The US Justice Department will instead launch a rulemaking process aimed at mapping out a “data security program” envisioned by the White House. The process affords experts, industry stakeholders, and the public at large an opportunity to chime in prior to the government adopting the proposal.

White House officials said the US Attorney General would consult with the heads of the Department of State and Department of Commerce to finalize a list of countries falling under the eye of the program. A tentative list given to reporters during Tuesday’s call, however, included China, Cuba, Iran, North Korea, Russia, and Venezuela.

The categories of information covered by the program will include health and financial data, precise geolocation information, and “certain sensitive government-related data,” among others, the officials said. The order will contain several carve-outs for certain financial transactions and activities that are “incidental” to ordinary business operations.

It’s unclear to what degree such a program would be effective. Notably, it does not extend to a majority of countries where trafficking in Americans’ private data will ostensibly remain legal. What’s more, it’s unclear whether the government has the authority or wherewithal (outside of an act of Congress) to restrict countries that, while diplomatically and militarily allied with the US, are also known to conduct espionage against it: close US ally Israel, for instance, was accused in 2019 of planting cell-phone-spying devices near the White House, and has served as an international marketplace for illicit spyware; or Saudi Arabia, which availed itself of that market in 2018 to covertly surveil a Washington Post contributor who was later abducted and murdered by a Saudi hit squad.

If China, Russia, or North Korea moves to obtain US data from a third party in one of the more than 170 countries not on the US government’s list, there may be little to prevent it. US data brokers need only take steps to ensure overseas customers follow “certain security requirements” during the transfer, many of which are already required by law.

The restrictions imposed by the executive order are meant to protect against “direct” and “indirect transfers of data,” officials said. But data brokers are on the hook merely until they obtain “some type of commitment” from overseas customers—an “understanding”—when it comes to the possibility of data being sold or transferred to others down the line.

Byron Tau

Julian Chokkattu

David Nield

Kate Knibbs

The important thing, the official said, is for data brokers to “get those assurances.”

To penalize a data broker for selling restricted information that finds its way into the hands of a banned country, the government has the burden of proving the company did so knowingly or negligently. These two circumstances, however, hardly cover the range of possibilities likely to lead to that outcome. The US government has little control over the internal security of foreign individuals or companies, and data brokers cannot reasonably be held responsible for customers who set out to deceive them or who simply fail to safeguard the data they’ve purchased from a sophisticated threat with superpower backing.

An American data security program that permits the sale of American data to the majority of foreign countries may only slightly diminish the likelihood of an incident—a solution that appears insufficient for the task it purports to fulfill, considering it deems the risk as crucial to national defense.

“The sale of Americans’ data leads to considerable privacy, counterintelligence, blackmail risks, and other national security issues—particularly for those involved in the military or national security sector,” the White House expressed in a release.

This scheme, it continues, is not meant to replace actual privacy legislation, an effort which the US Congress has continually taken on but failed to realize despite multiple attempts over years. The most promising bill in the previous decade, the American Data Privacy and Protection Act (ADPPA), was practically dead on arrival when it was introduced in 2022, with Republicans and Democrats unable to agree on several provisions after five years of negotiations.

However, even ADPPA was essentially a defective bill that exempted all companies serving the government, including technology startups that have sealed contracts with local law enforcement bodies.

Had ADPPA actually passed, this particular exemption would have expressly covered a data broker that was penalized last month by federal regulators. Formerly known as X-Mode, the location data broker was found to have ignored requests by consumers not to be tracked. The data was then marketed to the government for an undisclosed sum. (For more information on the US government’s efforts to secretly purchase domestic phone data for intelligence and military purposes, availing itself of what one technology consultant calls “the largest information-gathering enterprise ever conceived by man,” read an excerpt from Byron Tau’s new book, Means of Control.)

While the White House claimed Wednesday that Biden is continuing to “urge Congress to do its part and pass comprehensive bipartisan privacy legislation,” the Biden administration has in reality opposed efforts to ban the commercial sale of Americans’ location data, lobbying members of Congress openly and in private to combat amendments that would interfere with the government’s own ability to make such purchases.

“I would not compare the way our government uses data to the way the ‘countries of concern’ are using data,” said another official on Wednesday when asked about the growing support in Congress to ban the US government from making the same purchases. “That’s not the topic of this EO,” they said.

Byron Tau

Julian Chokkattu

David Nield

Kate Knibbs

Cybersecurity experts and intelligence chiefs acknowledge that the US government is under constant attack from professional hackers abroad, many of whom are aligned with, if not directly contracted by, the hostile nations that Biden’s new executive order aims to repel. Privacy advocates have long argued that, given this reality, it’s a counterintuitive strategy to allow the US government to remain one of the data broker industry’s top customers.

Notably, the efforts of US agencies to shore up their own cyber defenses against foreign threats are routinely revealed to be behind schedule, as has been the case for the past decade. Major hacks in recent years have targeted agencies whose biggest asset is personal information, including the Internal Revenue Service and Office of Personnel Management.

Data has not found a safe space in the hands of US spies either, with a former intelligence officer sentenced to 40 years in prison this month over what prosecutors called the “single biggest leak” in the history of the Central Intelligence Agency—data that was successfully stolen and delivered to WikiLeaks, which, like Biden’s “countries of concern,” the US government has accused of espionage.

In February 2022, the government’s own accountability watchdog reported publicly that agencies responsible for safeguarding critical infrastructure, including nuclear plants, dams, and emergency services, were among those that had failed to adopt even the procedures needed to determine how protected or vulnerable they really are.

Total
0
Shares
Leave a Reply

Your email address will not be published. Required fields are marked *

Previous Article

SolarWinds Enhances Observability Software with Advanced AI Features

Next Article

The Journey of Nvidia's Dominance in the AI Industry

Related Posts