US Intelligence Community Is Buying “Commercially Available” Surveillance Data – What are the Implications?

Data PrivacyData ProtectionCybersecurity
Written By Hosch & Morris

 

Privacy Plus+

Privacy, Technology and Perspective

US Intelligence Community Is Buying “Commercially Available” Surveillance Data – What are the Implications? This week, let’s look at a recently-declassified report issued by a senior advisory group to the Office of the Director of National Intelligence (ODNI), on “Commercially Available Information” (CAI).

Background:  Earlier in June, the ODNI declassified a previously secret report from last year on the U.S. Intelligence Community’s many purchases of commercially available, off-the-shelf personal data (as opposed to purchases of data compiled specifically for the government), with recommendations for going forward. Publication of the report has resulted in great gasps and pearl-clutching among those who are shocked that the USG would subscribe to troves of information from Thomson Reuters, LexisNexis, PeekYou, and many others, but it shouldn’t be all that surprising, since our adversaries most certainly do. 

Though not tremendously detailed, you can even find unclassified USG contracts for personal data at https://sam.gov/content/home. The 48-page report contains good examples of the types of CAI that the Intelligence Community is collecting, why it is collecting it, and the framework under which it does so.  It also asks questions very pertinent to today.

Examples of What CAI is Collected and Why:  To name just a few examples, the FBI contracts with a service for social media alerts. The Defense Intelligence Agency contracts for social media reports on people seeking security clearances. The Defense Department subscribes to Jane’s Online, and the Treasury Department to Bankers’ Almanac. The data may be used for analytics, but also for supporting compliance (e.g., making sure that they are collecting intel only on non-U.S. citizens), supporting human-intelligence gathering, building, and training AI, and assisting in counter-espionage.

Significantly, though, the report recognizes the risks in this: the sensitivity of such data, “mission creep,” the possibility of misuse, and implications for civil liberties, among others, and it strongly advocates for a thoughtful approach. 

2011 – Current Guidance:  The Intelligence Community has been operating under 12-year-old guidance from July 2011.  It isn’t bad, but it needs updating.  From well before 2011 until quite recently, most have considered Publicly Available Information (PAI) – especially as allowed to become publicly available by the data subject herself – not to be particularly sensitive, and to be essentially “up for grabs” and outside the bounds of privacy laws.  So, reasoned the 2011 guidance, when PAI is available through commercially-available databases, there should be limited concerns. This general reasoning underlies the Katz and Carpenter decisions and much else. The 2011 Guidance advised that agencies collect PAI only for an authorized purpose, only from publicly available sources, and narrow the scope to what is necessary and available through the least intrusive means. 

Today’s World:  Today, however, the core issue is that more and more sensitive personal information is making its way into “Publicly Available” databases – and, of course, virtually everything that is publicly available is, also, “commercially available.” For example, persistent location information on millions of Americans is now openly for sale to the general public.  Yet, under Carpenter v. United States, the acquisition of persistent location information concerning one person by law enforcement from communications providers is a Fourth Amendment “search” that generally requires probable cause. If that information can easily be bought, then the Intelligence Community’s old guidance treats the information as PAI and can purchase it

In short, in 2023, CAI now contains much more sensitive personal information than it did when the Guidance was first published.

Recommendations:  The study group recommends disavowing the notion that PAI is a good proxy for “non-sensitive data,” and instead expressly realizing that much CAI contains very sensitive information indeed.  Then, with that fresh perspective, it recommends developing 3 things:

·      A thorough, multi-tiered process to figure out what CAI the Intelligence Community acquires;

·      Updated, adaptable standards and processes for CAI collection and use; and

·      More precise guidance for the protection of privacy and sensitive information within CAI. 

You can read the report by clicking the following link:

https://www.dni.gov/files/ODNI/documents/assessments/ODNI-Declassified-Report-on-CAI-January2022.pdf 

---

Hosch & Morris, PLLC is a boutique law firm dedicated to data privacy and protection, cybersecurity, the Internet and technology. Open the Future℠.

 

 

Hosch & Morris https://hoschmorris.com
Previous

Texas Data Privacy and Security Act
Next

Janus - Use of Facial Recognition Expanded by the TSA