My first Lawfare article has been posted this morning. Here are the first few paragraphs, but read the rest at Lawfare:
In the worlds of data protection and privacy, too often there is a decoupling of national security issues and what might be termed non-national security issues despite the clear interplay between the two realms. Over the past decade, U.S. adversaries have vacuumed up the personal data of many Americans with one nation possibly being at the fore: the People’s Republic of China (PRC). The PRC was connected to the Office of Personnel Management and Equifax hacks, both of which provided massive troves of data the PRC has reportedly used to foil U.S. espionage and intelligence collection efforts abroad. What’s more, the collection of personal data did not stop with these hacks. In September 2020, an Australian security firm turned up evidence of an enormous trove of personal data on American, British, and Australian citizens collected and maintained by a PRC company, Zhenhua Data, with links to the country’s military and security services. It appears the data was scraped from public-facing websites. But the issue does not stop with techniques like these.
Policymakers tend to focus on access to personal data acquired illegally or in the service of espionage. This makes sense, for nothing focuses the data protection mind quite so much as a mammoth, public breach. And there’s no shortage of such exploitations, with Microsoft Exchange, Accellion and SolarWinds being the most recent examples. However, policymakers are not giving enough thought to the possible legal means by which the personal data of Americans and others may be obtained. To be sure, the Trump administration’s rationale for taking steps to ban ByteDance and WeChat in the United States was, in part, that users’ data would eventually make it to the PRC for processing in ways that threatened national security. But as critics pointed out at the time, if the massive industries related to the collection, processing, and selling or sharing of personal data abroad were a concern, there are threats as big, if not bigger, closer to home. Just this week, the Wall Street Journal detailed how one now-defunct defense contractor inadvertently discovered it could track U.S. troops convening in Syria for operations in 2016.
Western policymakers may be missing the forest for the trees by focusing only on hacks, exfiltrations, apps and software as threats to national security. Indeed, there is a universe of personal data that countries like the PRC may be accessing that is generally not part of this conversation: datasets obtained through data brokers.
To the extent data brokers are discussed in Washington, it is often in the context of data protection and data privacy legislation focused on the possible harms that the unfettered use and sharing of personal data may bring in commercial and privacy contexts. But scant consideration is paid to the national security side of the bustling personal data trade. Few policymakers have been focused on the national security side of this issue, but that may be changing. It is possible, and in fact quite likely, that the security and intelligence services of many nations have used personal data that is normally confined to the commercial world. This post explores the national security implications of data brokers and discusses potential reforms, such as those proposed recently by Sen. Ron Wyden, to better protect American data.