The Chinese Communist Party (CCP) may not need TikTok to harvest troves of sensitive data on US citizens if Beijing can continue to commercially purchase Americans’ data instead — as our laws currently allow. The present risks of our citizens’ data being sold to foreign governments are grossly underappreciated. Although plugging this gaping hole in our data security touches on a range of hot-button issues, banning the sale of sensitive American data to adversarial governments should be an obvious priority for quick, decisive action.
The concern centers on “data brokers” — companies that purchase, aggregate, analyze, and sell data on (usually unwitting) populations around the world. The multibillion-dollar industry’s shady reputation for hoarding information on individuals has led these companies to be described as “the middlemen of surveillance capitalism,” and it has garnered considerable concern over complex issues related to consumer privacy, civil rights, and democracy more generally. These broader issues are undeniably complex and should be dealt with carefully. But the national security dimension of data brokering is pretty straightforward: Selling Americans’ sensitive data to unfriendly foreign governments is a pressing security threat that should not be permitted.
The scope of the problem is considerable. As far back as 2014, the Federal Trade Commission reported that just one of these data brokers already had “3000 data segments for nearly every U.S. consumer”; another had “information on 1.4 billion consumer transactions and over 700 billion aggregated data elements.” These brokers’ insights into Americans’ health, travel, and finances are growing at astonishing rates, and they can be used for a host of nefarious blackmailing purposes — or to gain concerning insights, such as when The New York Timesused purchased data to construct a near real-time feed of the location of then-President Trump’s security detail in 2019.
Unsurprisingly, China already steals the type of bulk data sets on Americans that data brokers sell. In July of last year, FBI Director Christopher Wray noted, “If you are an American adult, it is more likely than not that China has stolen your personal data.” Indeed, one of the largest Chinese hacks of Americans’ personal data was that of Equifax, a leading data broker, resulting in the PRC gaining information on almost half of all Americans. The CCP theoretically could have legally purchased the same information, probably with greater ease. We also know from the Director of the United States National Counterintelligence and Security Center that China is using both “legal and illegal means” to collect bulk personal data of the sort sold by data brokers.
Three difficulties present themselves to redressing the issue. First, enforceability will be challenging: Data — even vast quantities of data — are notoriously “slippery,” making it difficult to track where data goes or what it is used for once it is transferred. The internet is home to a highly diverse ecosystem of avenues through which personal data is trafficked, and legislation that targets one path may simply divert data flows to other routes.
Secondly, the discourse around data brokers can quickly be subsumed into a hairy set of broader data privacy questions: Should our own intelligence agencies be allowed to purchase this data? What about law enforcement? Does the data broker sector need more comprehensive data privacy legislation?
Finally, there is the economic dimension. Given the Chinese governments’ unrestricted access to the data of companies operating in the PRC, regulations on data transfers could be disruptive and costly to a wide swath of businesses that work with companies in the PRC. Depending on the form of the restrictions, businesses from a host of other countries that deal heavily in data, like Ireland, could also suffer considerable loses along with their American counterparts.
Any viable solution would have to carefully address all three of these challenges, balancing business interests with enforceability and maintaining enough adaptability to account for rapidly evolving technologies and privacy concerns.
So far, a few options have emerged. A new bill would have the Secretary of Commerce identify categories of personal data that are important to protect and data-receiving countries of concern in order to administer licenses for data export. Others have suggested more intermediary measures, such as requiring data-selling companies to declare their foreign customers, or expanding the Committee on Foreign Investment in the United States (CFIUS) process to restrict adversaries from buying their way into American data-brokering operations.
Putting aside the question of methods, however, the primary challenge to addressing the threat remains an insufficient sense of urgency. Corporate bulk data transfers don’t quite trip the same alarms that hypersonic missiles do, but in a world in which “data is the new oil” there is a very real sense in which these companies can sell off American security to our adversaries — with potentially devastating consequences. Policymakers need to be unambiguous with data brokers: American security is not for sale.