Where US Spy Agencies Get American’s Personal Data From

(Brian A Jackson/Shutterstock)

A report issued last week by the Office of the Director of National Intelligence indidates the US intelligence community has been collecting and storing large amounts of potentially sensitive and embarrassing information about Americans. Where they’re getting the data may surprise you.

A declassified report on Commercially Available Information, or CAI, which was written in January 2022 and released by the ODNI on June 12, 2023, says that a variety of federal intelligence and law enforcement agencies are buying data about Americans and citizens of other nations from data brokers.

For instance, the Defense Intelligence Agency buys data from LexisNexis, while the US Navy has a contract with Sayari, which bundles and sells public records used for risk analysis, the report says. The Federal Bureau of Investigations works with a cybersecurity company called ZeroFox for social media alerts. Department of Homeland Security gets data from Dun & Bradstreet. Various Treasury Department offices use LexisNexus’s Bankers Almanac. The Coast Guard gets data from Babel Street.

“The IC [intelligence community] currently acquires a large amount of CAI,” the report says. “CAI clearly provides intelligence value, whether considered in isolation and/or in combination of other information, and whether reviewed by humans and/or by machines.”

CAI is a robust form of open source intelligence, or OSINT, the report says. The report cites the findings of the 2005 Weapons of Mass Destruction (WMD) Commission, which found “analysts who use open source information can be more effective than those who don’t.” That commission also urged the creation of an “entity that collects, processes, and makes available to analysts the mass of open source information that is available in the world today.”

The US Government is collecting geolocation data on Americans (Golden-Dayz/Shutterstock)

However, the amount of CAI data available on the open market today has skyrocketed compared to 2005. The advent of the public cloud in 2006 and the smartphone in 2007 combined to create a perfect environment for the creation of mass amounts of data on consumers and the means to store the data forever.

Location data from smartphones is among the most sensitive CAI that American spy agencies buy. The report notes that the DIA “currently provides funding to another agency that purchases commercial available geolocation metadata aggregated from smartphones.”

The location data is global in nature, and data from Americans isn’t segregated when it arrives at the agency, the report states. However, actually accessing the location data of people on US soil is restricted; it’s only been granted five times in the past two-and-a-half years, the report says.

The ODNI report is somewhat critical of the government’s behavior, insofar as it cites the potential for abuse, as well as security implications of housing data that’s so personal in nature.

“In the wrong hands, sensitive insights gained through CAI could facilitate blackmail, stalking, harassment, and public shaming,” the report states. “Concerns like these are why… several IC elements require a ‘volume, proportion, and sensitive’ analysis of certain data practices…”

Government warehousing of American’s personal data also raises constitutional questions about the nature of freedom and liberty in the digital age.

The Defense Intelligence Agency buys information on Americans from the open market (Source: DIA)

“The government would never have been permitted to compel billions of people to carry location tracking devices on their persons at all times, to log and track most of their social interactions, to keep flawless records of all their reading habits,” the report states. “Yet smartphones, connected cars, web tracking technologies, the Internet of Things, and other innovations have had this effect without government participation. While the IC cannot willingly blind itself to this information, it must appreciate how unfettered access to Al increases its power in ways that may exceed our constitutional traditions or other societal expectations.”

However, the report also cites the potentially valuable nature of CAI, and how accessing it through commercial data brokers saves taxpayer money. “The IC is strongly of the view that it will be at a significant disadvantage vis a vis foreign adversaries and competitors if it does not enjoy certain access to CAI,” the report says.

The report also cited several beneficial uses of CAI. One of those is the DIA’s Office of Intelligence and Analysis and its use of CAI for its “Web of Science” tool, which provides government analysts with easy access to a large pool of academic publications. CAI is used by the DHS’s Clearances, Logistics, Employees, Applicants and Recruitment (CLEAR) program to help resolve identities and provide leads.

Cybersecurity and humanitarian missions, as well as clandestine and “human intelligence” operations, are also consumers of CAI, according to the report. The report cites the potential benefits of CAI for “building and training artificial intelligence models,” which could be useful “to gain analytic insight or for other purposes.” Finally, the report notes that, since the data is available for purchase on the Internet, it’s likely other nations are also buying data on Americans.

Will the CAI report increase calls for an American version of GDPR? (everything-possible/Shutterstock)

The report provides three recommendations on steps the government should take in regards to the vast CAI collection and storage effort. The first is to thoroughly document the acquistion and use of CAI. The second is to develop a set of standards and procedures for acquiring and handling CAI. Thirdly, the report says the intelligence community needs to “develop more precise sensitivity and privacy-protecting guidance for CAI.”

It’s unclear how much CAI the government has acquired, where it stores the data, what exactly it’s doing with it, or how much it costs; the report doesn’t provide much insight into any of those questions. It also notes that the government also has access to non-public information that is even more sensitive and which has even greater restrictions around it’s use. But this report was limited to the government’s actions around data that is publicly available, and thus carries fewer restrictions on its use.

The revelation is bound to increase calls for greater protection of American’s private data, and perhaps even for a US version of the General Data Protection Regulation (GDPR), which has protected the digital rights of European Union residents  for the past five years.

One of the first American political leaders to make such a call was Representative Ron Wyden, a Democrat from Oregon, who is the one who requested the Director of National Intelligence, Avril Haines, to release the report.

“This review shows the government’s existing policies have failed to provide essential safeguards for Americans’ privacy, or oversight of how agencies buy and use personal data,” Wyden said in a press release. “Congress needs to pass legislation to put guardrails around government purchases, to rein in private companies that collect and sell this data, and keep Americans’ personal information out of the hands of our adversaries.”

You can access a copy of the ODNI’s report that NBC News is hosting here.

Related Items:

GDPR Celebrates Fifth Birthday, Meta Fined $1.3 Billion

10 Items to Consider for Data Privacy Day

A Culture Shift on Data Privacy