When can US spies buy your personal data? New guidelines are coming

The Office of the Director of National Intelligence will soon release guidelines to help the intelligence community better gauge ethical considerations for operatives who purchase commercially available data that can include sensitive personal identifiers, a top Pentagon lawyer said.

DOD associate deputy general counsel for intelligence Lindsay Rodman said ODNI is “nearly complete” with the framework that aims to help the IC identify privacy concerns that may arise when it purchases datasets sourced and aggregated by data brokers, who sell the information to other entities for marketing or intelligence purchases.

The nine principles are set to be released “any day now,” she said at a Cyber Command legal conference at Joint Base Andrews in Maryland on Tuesday. 

“When [commercially available data] presents the kinds of privacy and sensitivity concerns that we’re talking about, then there’s basically a whole rubric of requirements for doing that analysis and then putting appropriate safeguards in place,” she said.

U.S. spy agencies often obtain data to help them complete mission objectives, which could include telemetry created by computer logs or weather data publicly available online. But purchases of data from platforms or apps where consumers legally but sometimes unknowingly give away their location information and other personal details by clicking ‘yes’ on user agreements have become a privacy ethics flashpoint.

That data is packaged by data brokers, and spy agencies are among their customers. The dynamic has put the IC on thin ice with some lawmakers and privacy advocates who call it an end-run around the Fourth Amendment, which bars unreasonable searches and seizures.

The vast majority of DOD and IC operations have nothing to do with U.S. person information, Rodman said. But “there are certain missions that do require digging into this information, and for those, that’s where we need the extra safeguards in place.” The Pentagon is also putting together its own related framework for such policies, but that is still being worked on, she added.

She said the IC still opposes a slew of congressional proposals that would bar law enforcement from purchasing commercial data or require a search warrant to access such data, arguing they would stop national security investigations in their tracks and “place serious obstacles in the way of us performing our mission on a daily basis.”

An ODNI report released last year said that the IC frequently buys troves of Americans’ data with few checks and balances, and that use of such information without oversight presents a privacy threat. Some of those purchases have included social media data, it said at the time.

“Without proper controls, [commercially available information] can be misused to cause substantial harm, embarrassment, and inconvenience to U.S. persons,” said the findings.

A recent White House directive that gives agencies legal power to stop Americans’ sensitive data from falling into the hands of foreign adversaries appears to not have any direct implications for spy agencies relying on data purchases. 

“ODNI is committed to engaging in our work in a way that is protective of privacy and civil liberties, and we are finalizing a framework that lays out standards and processes governing the Intelligence Community’s access to, and collection and processing of, commercially available information," an ODNI spokesperson told Nextgov/FCW. "We will publicly share as much of this framework as possible.”

This commercially available data should not be confused with information gleaned from government-owned databases under the soon-to-expire surveillance authority in Section 702 of the Foreign Intelligence Surveillance Act. The IC is able to leverage harvested communications from overseas targets under 702, and has come under fire for inadvertent collections of Americans’ communications data without a warrant.

A new federal privacy proposal unveiled Sunday would require data brokers to add themselves to a Federal Trade Commission registry that publicly signals they are in the business of aggregating and selling data bundles. It would also include a ‘‘Do Not Collect’’ directive that allows individuals to request data brokers not hoover up their information. 

Editor's note: This article was updated April 10 to include comment from the Office of the Director of National Intelligence.