Personal data security in the US: the White House response to a new FTC and a congressional directive on geospatial data trafficking
The administration says that some types of sensitive data, such as personal identifiers, are being amassed by certain countries in order to conduct espionage and cyberattacks against the US.
The order described by the White House’s announcement doesn’t appear to address the overall issue of the personal data market in the US, which has very little in the way of boundaries. The FTC recently banned two brokers of selling precise location data that could endanger consumers, which is a case where case-by-case regulatory action can be taken.
They said that the order would have little immediate effects. The US Justice Department will instead launch a rulemaking process aimed at mapping out a “data security program” envisioned by the White House. The process affords experts, industry stakeholders, and the public at large an opportunity to chime in prior to the government adopting the proposal.
The Departments of Health and Human Services, Defense, and Veterans Affairs were ordered to make sure Americans’ health data cannot be transferred via other routes like federal grants.
The Committee for the Assessment of Foreign Participation in the United States Telecommunications Services Sector needs to look at personal data threats when deciding on submarine cable licenses. The order, which would be the president’s third so far this year, has not yet been published to the Federal Register.
Foreign actors aren’t the only concern. Senator Ron Wyden (D-OR), who has been beating the drum for digital privacy for many years, cited one of those bans when he called on the NSA to stop buying location information from data brokers. The US director of national intelligence said information US intelligence agencies buy from them is as detailed as any it could have gotten “only through targeted (and predicated) collection.”
It is not clear what degree such a program would be effective. Notably, it does not extend to a majority of countries where trafficking in Americans’ private data will ostensibly remain legal. What’s more, it’s unclear whether the government has the authority or wherewithal (outside of an act of Congress) to restrict countries that, while diplomatically and militarily allied with the US, are also known to conduct espionage against it: close US ally Israel, for instance, which the US accused in 2019 of planting cell-phone-spying devices near the White House, and which has served as an international marketplace for illicit spyware; or Saudi Arabia, which availed itself of that market in 2018 to covertly surveil a Washington Post contributor who was later abducted and murdered by a Saudi hit squad.
Health and financial data, precise geolocation information, and certain sensitive government-related data will be covered by the program, according to the officials. The order will contain several carve-outs for certain financial transactions and activities that are “incidental” to ordinary business operations.
The heads of the departments of commerce and State would be consulted by the US Attorney General to make up a list of countries that would be included in the program. A tentative list given to reporters during Tuesday’s call, however, included China, Cuba, Iran, North Korea, Russia, and Venezuela.
The Biden administration made an order to reporters known during a teleconference on Tuesday, only to take questions if they aren’t named or referred to by job title.