U.S. intelligence agencies are buying and storing personal information on Americans with little oversight and few guidelines, according to a government report.
The report, which the Office of the Director of National Intelligence published Monday, offers fresh insight at how U.S. intelligence agencies have capitalized on the widespread availability of for-purchase data on Americans. The partially declassified report is dated January 2022. Its author was redacted, and the Office of the Director of National Intelligence did not respond to a request for comment on the authors.
Unchecked overreliance on commercially available information poses a threat to Americans, the report found.
Commercially purchased data “can reveal sensitive and intimate information about the personal attributes, private behavior, social connections, and speech of U.S. persons and non-U.S. persons,” the report said. “It can be misused to pry into private lives, ruin reputations, and cause emotional distress and threaten the safety of individuals. Even subject to appropriate controls, CAI can increase the power of the government’s ability to peer into private lives to levels that may exceed our constitutional traditions or other social expectations.”
Government agencies have to navigate an array of laws that often prevent them from tracking Americans without a court order or warrant. But there are few legal restrictions on private companies that buy, repackage and sell personal data, which the report calls “commercially available information” or CAI.
That has allowed an entire industry of data brokers to flourish by selling very specific information about people. Agencies in the U.S. intelligence community (IC) can simply buy that information from the companies that collect it.
“The IC currently acquires a significant amount of CAI for mission-related purposes, including in some cases social media data,” the report found.
The report’s authors cite a wide range of examples of government agencies considering and potentially using contracts with private companies to buy personal data: the Defense Intelligence Agency contracting LexisNexis; the Navy contracting a company called Sayari Analytics for a database of people who might be tied to sanctioned people; and the FBI contract cybersecurity company ZeroFox for social media alerts.
The Department of Homeland Security has used Web of Science, a clearinghouse for academic studies, to identify foreign researchers working in the U.S. who were tied to their home country’s militaries, the report found. The CIA was working out its own policies on using that kind of data as of the date of the report. The agency didn’t immediately respond to a request for an update.
The privacy dangers go beyond the U.S. government, the report found. Foreign intelligence agencies have similar access to those companies and can buy their data.
Concerns about foreign government access to data on Americans have grown in recent years, mostly tied to the rise of China-based apps like TikTok. Many privacy experts have stressed that while concerns around TikTok bear discussion, they miss the broader data privacy issues that the U.S. has yet to address.
Sen. Ron Wyden, D-Ore., who initially asked the Director of National Intelligence, Avril Haines, to release the report, said it showed the U.S. needs more digital privacy protections for citizens.
“This review shows the government’s existing policies have failed to provide essential safeguards for Americans’ privacy, or oversight of how agencies buy and use personal data,” Wyden said in a press release.
“Congress needs to pass legislation to put guardrails around government purchases, to rein in private companies that collect and sell this data, and keep Americans’ personal information out of the hands of our adversaries,” Wyden said.