As the data brokerage industry grows in the United States, numerous risks have emerged that threaten the privacy of citizens’ personal information, as well as the national security of the country. This is particularly concerning with the increasing fear of rival international powers exploiting this data. Consequently, there have been demands to close legislative gaps in U.S. data protection to keep up with developments in over 100 countries, including EU states, Canada, and China, which have already established national regulations for how digital platforms handle personal data.
In this context, the importance of researcher Caitlin Chin’s report, titled “Surveillance for Sale: The Unregulated Relationship Between U.S. Data Brokers and Domestic and Foreign Government Agencies,” published by the Center for Strategic and International Studies in June 2023, becomes clear. Chin explains how private companies create massive datasets of personal information, which data brokers collect and sell to public and private entities without proper safeguards to protect privacy and civil liberties. She compares privacy developments in the U.S. to those in the EU, Canada, and China, while also highlighting how U.S. data privacy regulations can strengthen national security, human rights, and American economic interests.
Who are the Data Brokers?
Many digital platforms share detailed user information with advertisers, private companies, and government agencies through a third party known as “data brokers.” These brokers profit from collecting personal information obtained from mobile apps, web browsers, social media posts, as well as audio and video recordings. They may also draw from government records such as voter registries or tax filings.
Data brokers can also acquire information from other brokers or by purchasing mobile apps to gather data, creating a complex and opaque network that individuals and the public cannot easily monitor, modify, or delete. According to software company Sensor Tower, the average American interacts with about 50 mobile apps per device each month, many of which track details like location history, call logs, and purchases to build a comprehensive picture of a person’s habits and lifestyle preferences.
The report highlights that there is no single legal definition of a data broker in the U.S., which poses challenges for regulating their interactions with government agencies. In 2014, the Federal Trade Commission (FTC) described data brokers as “companies that collect consumers’ personal information and resell or share that information with others.” The American Data Privacy and Protection Act (ADPPA) defines third-party entities as those “whose primary revenue source comes from processing or transferring covered data.”
To emphasize the importance of regulating data brokers, three U.S. senators expressed concerns in 2022 that companies like BetterHelp and Talkspace had shared sensitive mental health information, which could easily identify individuals and infer their location or even where they sleep based on movement patterns. Data brokers develop algorithmic models to infer or predict details such as health, finances, race, religion, gender identity, sexual orientation, and marital status.
The report argues that without federal regulations, Americans cannot control how data brokers handle their personal information, especially as first-party companies typically do not disclose the identities of the third parties they share information with or how algorithmic inferences influence decisions that may impact people’s lives and privacy.
Privacy Risks:
The report argues that third-party data brokers pose risks to individual privacy. These brokers have assisted health insurance companies in predicting physical and mental health conditions by analyzing disparate data points such as education, age, race, and social status, as well as accessing contact information that can identify users of mobile mental health apps. Consequently, privacy breaches by data brokers result in psychological, emotional, financial, and physical harm to Americans.
On the other hand, data brokers can perform a variety of functions for both public and private institutions, which could be beneficial for decisions related to employment, credit scores and risks, health insurance, and political awareness. Regardless of the purpose of this digital monitoring, there is ethical ambiguity in any contract signed by U.S. government agencies with data brokers. U.S. government contracts fuel the rapid growth of an industry facing minimal legal constraints on data collection, processing, storage, and sharing. Additionally, algorithms based on personal attributes sometimes draw inaccurate conclusions that can significantly impact people’s lives.
National Security Threats:
The general lack of transparency makes it difficult to measure the extent of cooperation between U.S. data brokers and foreign governments, including Russia and China. In 2020, the Director of the National Counterintelligence and Security Center stated that China is one of the world’s leading collectors of personal data, using both legal and illegal means. Although foreign governments, such as China, lack legal jurisdiction over most Americans on their soil, they can still benefit from global digital surveillance, including what U.S. data brokers provide.
Conversely, in the 2016 U.S. presidential election, the Russian-linked Internet Research Agency (IRA) purchased around 3,000 political ads and uploaded 80,000 posts on Facebook using stolen American identities, reaching tens of millions of American users to discourage voter turnout.
The report emphasizes that as long as data brokers operate in this manner, it will remain virtually impossible to prevent this information from falling into the hands of hostile foreign powers. Although foreign governments may access information through various channels, the growth of the data brokerage industry expands and accelerates surveillance efforts on a broader scale. This highlights the importance of updating privacy laws to limit external data collection and mitigate risks to privacy, civil rights, and democratic values.
U.S. Legislative Gaps:
The United States has dozens of federal and state laws addressing how private companies protect personal information, but these have not seen significant updates for decades and lag behind technological advancements. Moreover, many U.S. commercial data protection laws pertain only to specific sectors and types of companies, leaving other entities, like data brokers, digital platforms, and mobile apps, unregulated in handling a wide range of sensitive personal information.
Although the Federal Trade Commission (FTC) can act against companies, including data brokers, engaged in deceptive practices across the U.S. economy, its executive authority is limited. Companies engaging in deceptive activities or distorting their privacy policies have led to a “notice and consent” system, where users must click “I agree” to allow data collection for accessing essential services. This focus on notice and consent can prompt companies to use vague language promising minimal or no privacy protection.
For example, the Electronic Communications Privacy Act of 1986 prohibits certain companies, such as phone companies and internet service providers, from voluntarily disclosing the content of communications and U.S. metadata to U.S. government agencies without a court order or subpoena. However, this law does not apply to data brokers or third-party app developers, who were not prevalent in 1986. This creates gaps where phone companies can sell personal information to data brokers, who can then sell it to government agencies outside the legal framework.
Protection Systems in Europe and China:
The report notes that maintaining global trust is challenging if many foreign governments escalate their intelligence activities, especially as advances in data collection exacerbate geopolitical tensions. Most major economies, such as the European Union, Canada, and China, have enacted national laws regulating how technology platforms collect, process, and share personal information.
For the European Union, restrictions on the data brokerage market are overseen by the General Data Protection Regulation (GDPR). Under this regulation, data brokers face stricter legal constraints in the EU compared to the U.S. because the GDPR’s transparency requirements expose EU data brokers to higher compliance costs, making the industry more hazardous and less profitable than in the U.S. The EU data brokerage market is estimated at around $116 billion compared to the U.S. market, which exceeded $200 billion in 2018.
Although the GDPR does not directly apply to most law enforcement and intelligence operations, it still requires data brokers to have legal justifications for selling personal information to government agencies, unlike the U.S. system, which imposes few strict limitations on these brokers.
The European Commission considers Canada’s data protection level to be “essentially equivalent” to the EU’s level, allowing for a higher degree of legal certainty in data transfers between Canada and the EU.
In China, surveillance relies heavily on private companies that collect and process personal information from both Chinese and non-Chinese individuals. Many laws regulate this relationship, granting China broad control over the data storage of companies under its jurisdiction.
In response to concerns about data localization in China and national security laws, the U.S., Canada, and other countries have banned TikTok on government-issued devices due to fears of access to information about American individuals that mobile apps, specifically TikTok, may transmit or store within Chinese borders. This is based on China’s 2017 National Intelligence Law, which requires individuals and organizations to “support, assist, and cooperate with state intelligence work according to the law.” Additionally, the Chinese Cybersecurity Law demands that internet platforms operating within national borders assist law enforcement in identifying content “that threatens national security and national interests.” Consequently, some U.S. tech platforms have ceased operations in China since the law came into effect in 2017.
The report compares the situation in the U.S. and China, noting that while U.S. legal requirements under the Fourth Amendment and the Electronic Communications Privacy Act are outdated, they offer stronger civil liberties protection compared to Chinese government practices in compelling private companies to obtain personal data.
In conclusion, the U.S. data brokerage industry presents multiple risks to privacy and national security, necessitating a comprehensive approach to curbing data transfers. Without broad regulations on how all mobile apps and data brokers in the U.S. handle sensitive personal information, effective prevention of data leaks to foreign governments will remain unachievable.
Therefore, the U.S. needs a multi-faceted strategy focusing on setting limits on how all American companies handle personal information, establishing protective barriers in government transactions with data brokers, imposing restrictions on the purposes of data transfers into and out of the U.S., and enhancing transparency by giving regulators and individuals more control over personal information while balancing the protection of publicly available information and cross-border data flows.
Source: Caitlin Chin, Surveillance for Sale: The Underregulated Relationship between U.S. Data Brokers and Domestic and Foreign Government Agencies, CSIS, JUNE 2023.