Spy agencies must craft safeguards for using sensitive commercial data, ODNI says

HT Ganzo/Getty Images

The new framework follows a report last year that showed the intelligence community frequently relies on purchased sensitive information.

The Office of the Director of National Intelligence issued a framework that aims to guide spy agencies on best practices for ethically using commercial data that analysts frequently leverage in their day-to-day work, declaring they must have in place procedures to safeguard collected data that can easily identify Americans.

Spy agencies often obtain data to help them complete mission objectives, which includes telemetry from computer logs or weather data available online. But purchases of data from platforms or apps, where consumers legally but sometimes unknowingly give away their location information and other personal details by clicking “yes” on user agreements, have become a privacy ethics flashpoint.

The guidance seeks to further center privacy and civil liberties considerations when such data is used by U.S. intelligence operatives and cyber warfare units. Personal information that’s hoovered up on digital marketplaces like social media platforms is packaged by data brokers, and spy agencies are among their customers. The dynamic has put the IC on thin ice with some lawmakers and privacy advocates who call it an end-run around the Fourth Amendment, which bars unreasonable searches and seizures.

It highlights “sensitive commercially available information” which contains a “substantial volume” of personally identifying information or specific identifiers that can easily trace back to a U.S. person and their religious affiliations, gender identity or other affiliations.

“IC elements must have in place policies and procedures to ensure they appropriately safeguard any Sensitive CAI,” the framework’s fact sheet says. “Such policies and procedures must take into account not only factors such as the volume, proportion, nature, and intended use of information but also include enhanced safeguards such as restricted access, additional internal controls, and approval requirements.” 

Sensitive information uses must be periodically reviewed and ODNI will need documentation from IC groups that describes the types of sensitive information acquired, the blueprint says.

The release was crafted by a senior advisory panel, and their recommendations were accepted by every IC element, the ODNI said.

“Put simply, the combination of an increasing amount of readily available data regarding the activities of individuals — often perceived as not especially sensitive on its own — and increasingly sophisticated analytic tools can in the aggregate raise significant privacy and civil liberty concerns,” an office statement said.

A report released last year said that the IC frequently buys troves of Americans’ data with few checks and balances, and that use of such information without oversight presents a privacy threat. Some of those purchases have included social media data, it said at the time.