US president Joe Biden will sign an executive order on Wednesday aimed at preventing a handful of countries, including China, North Korea, and Russia, from purchasing sensitive information about Americans through commercial data brokers in the United States.
Administration officials say categories of sensitive data, including personal identifiers, precise location information, and biometrics—vital tools for waging cyberattacks, espionage, and blackmail operations against the US—are being amassed by what the White House is calling “countries of concern.”
Biden administration officials disclosed the order to reporters in advance during a Zoom call on Tuesday and briefly took questions, on the condition that they not be named or referred to by job title.
The order will have few immediate effects, they said. The US Justice Department will instead launch a rulemaking process aimed at mapping out a “data security program” envisioned by the White House. The process affords experts, industry stakeholders, and the public at large an opportunity to chime in prior to the government adopting the proposal.
White House officials said the US Attorney General would consult with the heads of the Department of State and Department of Commerce to finalize a list of countries falling under the eye of the program. A tentative list given to reporters during Tuesday’s call, however, included China, Cuba, Iran, North Korea, Russia, and Venezuela.
The categories of information covered by the program will include health and financial data, precise geolocation information, and “certain sensitive government-related data,” among others, the officials said. The order will contain several carve-outs for certain financial transactions and activities that are “incidental” to ordinary business operations.
It’s unclear to what degree such a program would be effective. Notably, it does not extend to a majority of countries where trafficking in Americans’ private data will ostensibly remain legal. What’s more, it’s unclear whether the government has the authority or wherewithal (outside of an act of Congress) to restrict countries that, while diplomatically and militarily allied with the US, are also known to conduct espionage against it: close US ally Israel, for instance, was accused in 2019 of planting cell-phone-spying devices near the White House, and has served as an international marketplace for illicit spyware; or Saudi Arabia, which availed itself of that market in 2018 to covertly surveil a Washington Post contributor who was later abducted and murdered by a Saudi hit squad.
If China, Russia, or North Korea moves to obtain US data from a third party in one of the more than 170 countries not on the US government’s list, there may be little to prevent it. US data brokers need only take steps to ensure overseas customers follow “certain security requirements” during the transfer, many of which are already required by law.
The restrictions imposed by the executive order are meant to protect against “direct” and “indirect transfers of data,” officials said. But data brokers are on the hook merely until they obtain “some type of commitment" from overseas customers—an “understanding”—when it comes to the possibility of data being sold or transferred to others down the line.
The important thing, the official said, is for data brokers to “get those assurances.”
To penalize a data broker for selling restricted information that finds its way into the hands of a banned country, the government has the burden of proving the company did so knowingly or negligently. These two circumstances, however, hardly cover the range of possibilities likely to lead to that outcome. The US government has little control over the internal security of foreign individuals or companies, and data brokers cannot reasonably be held responsible for customers who set out to deceive them or who simply fail to safeguard the data they’ve purchased from a sophisticated threat with superpower backing.
An American data security program that allows American data to be sold in a vast majority of foreign countries may only slightly reduce the odds of an incident—a piecemeal solution that seems inferior to the task it assumes in declaring the risk critical to national defense.
“The sale of Americans’ data raises significant privacy, counterintelligence, blackmail risks, and other national security risks—especially for those in the military or national security community,” the White House said in a statement.
The program, it adds, is not intended to be a substitute for actual privacy legislation, something the US Congress has repeatedly taken up but failed to achieve despite various attempts over the years. The most viable bill in the past decade, the American Data Privacy and Protection Act (ADPPA), was effectively dead on arrival when it debuted in 2022, with Republicans and Democrats failing to come to terms over a handful of provisions after five years of negotiation.
Yet even ADPPA was a fundamentally flawed bill that exempted all companies working for the government, up to and including technology startups that have penned contracts with local police agencies.
Had ADPPA actually passed, this particular exemption would have expressly covered a data broker that was penalized last month by federal regulators. Formerly known as X-Mode, the location data broker was found to have ignored requests by consumers not to be tracked. The data was then marketed to the government for an undisclosed sum. (For more information on the US government’s efforts to secretly purchase domestic phone data for intelligence and military purposes, availing itself of what one technology consultant calls “the largest information-gathering enterprise ever conceived by man,” read an excerpt from Byron Tau’s new book, Means of Control.)
While the White House claimed Wednesday that Biden is continuing to “urge Congress to do its part and pass comprehensive bipartisan privacy legislation,” the Biden administration has in reality opposed efforts to ban the commercial sale of Americans’ location data, lobbying members of Congress openly and in private to combat amendments that would interfere with the government’s own ability to make such purchases.
“I would not compare the way our government uses data to the way the ‘countries of concern’ are using data,” said another official on Wednesday when asked about the growing support in Congress to ban the US government from making the same purchases. “That’s not the topic of this EO,” they said.
Cybersecurity experts and intelligence chiefs acknowledge that the US government is under constant attack from professional hackers abroad, many of whom are aligned with, if not directly contracted by, the hostile nations that Biden’s new executive order aims to repel. Privacy advocates have long argued that, given this reality, it’s a counterintuitive strategy to allow the US government to remain one of the data broker industry’s top customers.
Notably, the efforts of US agencies to shore up their own cyber defenses against foreign threats are routinely revealed to be behind schedule, as has been the case for the past decade. Major hacks in recent years have targeted agencies whose biggest asset is personal information, including the Internal Revenue Service and Office of Personnel Management.
Data has not found a safe space in the hands of US spies either, with a former intelligence officer sentenced to 40 years in prison this month over what prosecutors called the “single biggest leak” in the history of the Central Intelligence Agency—data that was successfully stolen and delivered to WikiLeaks, which, like Biden’s “countries of concern,” the US government has accused of espionage.
In February 2022, the government’s own accountability watchdog reported publicly that agencies responsible for safeguarding critical infrastructure, including nuclear plants, dams, and emergency services, were among those that had failed to adopt even the procedures needed to determine how protected or vulnerable they really are.
