Corporate Data Collection and U.S. National Security: Expanding the Conversation in an Era of Nation State Cyber Aggression

This post has been adapted from prepared remarks delivered at the Georgetown Law Cybersecurity Law Institute luncheon on May 24, 2018.

Are we framing the conversation about corporate data collection too narrowly? Traditionally, concerns about corporate data collection have been viewed through the lens of consumer privacy. Meanwhile, concerns about government surveillance have focused on the threats posed to privacy and civil liberties and protection from government overreach. But the 2016 election suggests that we should think more seriously about the national-security consequences of corporate data collection, as well.

Based on what we have learned publicly so far about the Russian election interference, it is worth pausing to reflect on the national security implications of corporate data collection and aggregation as it relates to the collection of individual, private citizens’ data. My goal here is to weave together some themes that are playing out in our public debates over surveillance, cybersecurity, privacy, and, the ongoing investigation into Russian interference in the 2016 election. Recent events should push us to consider more carefully how data of and about individual persons, by the private sector, may constitute a collective national security threat.

1. The Premise That Government Surveillance is More Dangerous Than Corporate Surveillance

Looking back several years, the Snowden disclosures precipitated increasing public scrutiny of government surveillance activities, both in the United States and abroad. The academic, legal and policy debate that took place over the next few years has continued, although the temperature of the debate seems to have lessened somewhat since amendments to FISA were passed in 2015 that ended the bulk telephone metadata program and added additional transparency and oversight provisions.

No matter what “side” of the surveillance debate one might find themselves on, however, that debate was premised on one generally accepted proposition: that government surveillance presents special and unique privacy concerns, because when the government collects your information, it can do something with it that restricts your liberties.

Specifically, the government can investigate you, prosecute you, and even potentially jail you if found guilty of a crime. Companies, on the other hand, might collect a lot of data, but they can’t take those specific actions that restrict your liberties and can change your life.

This widely accepted proposition was, in my view, best encapsulated by a piece by Sen. Sheldon Whitehouse that ran on Lawfare in June 2015, entitled “Why People Hate Government Surveillance But Tolerate Corporate Aggregators.” Whitehouse observed that “… the greatest collector of data on ordinary Americans is not our government, but the private sector entities gathering personal data for marketing and commercial purposes,” and asked why Americans were relatively comfortable with that state of affairs. He warned of an increasing blind eye being turned to the power of private wealth, as it resides in those corporations.

Even those government officials who spent the immediate years after 2013 defending the legality and propriety of government surveillance activities, generally have accepted this proposition. I have testified before Congress, written and spoken about the value of the oversight structures that protect privacy and civil liberties in the context of government surveillance. Likewise, most of the writing and speaking by others who support lawful, structured, but robust intelligence gathering capabilities has focused on the law, rules and compliance structures around collecting and handling the information.

As a result, to the extent the national security and privacy communities have discussed and debated the risks posed by private sector collection of individual persons’ data, they have generally focused on the risks posed to civil liberties and personal privacy. We have also pointed to legal and policy structural designs in place to prevent privacy abuses. Corporations, meanwhile, have understood these risks in terms of threats to enterprise data, trade secrets and intellectual property, as well as to a company’s financial viability, legal liability, and brand performance or reputation.

Concurrently, the cybersecurity community has long acknowledged the national security threats posed to government systems from a national security perspective. It has also come to understand the risk to private systems that contain sensitive government information: for example, defense or homeland security contractors that do work for the government, or academic institutions that do sensitive government-sponsored technical research.

Meanwhile, in just the past five years, the risks to data collected and retained by private sector remain sky high. Technical changes, such as the wider deployment of consumer level encryption have sought to diminish the risk of inadvertent exposure. There is an entire industry that has been built on the back of mitigating the threat of unauthorized data exposure or loss.

Risks come from both internal and external actors. Internally, weak controls can lead to inadvertent data slippage or exposure. Personnel issues make insider threats particularly challenging to address. Externally, the threat comes from criminal enterprise, hacktivists and, of course, nation states.

At this point, the private sector is—or at least should be—well aware that there are threats to their data from other countries’ governments, including their intelligence services. There is a proliferation of cybersecurity “solutions.” Consultants, lawyers, and former U.S. government officials have all made themselves available to describe the threat and propose technical, structural and compliance-focused ways to mitigate it.

Despite this continuing and widely recognized threat environment, the United States still has a loosely regulated environment when it comes to technology companies that collect vast amounts of private citizens data. In addition, there is still no national data-breach law, nor any consensus on how to regulate social media companies—if at all. Further, even under existing state laws and voluntary frameworks, companies are still disincentivized from providing transparency regarding data exposures or losses or other types of inadvertent accesses or manipulation, unless they are compelled by law to do so.

And, yet, the volume and complexity of data about Americans collected, retained, aggregated, manipulated, shared, used and sold by the private sector continues to grow.

2. Special Issues in Private Sector Data Collection

Let’s consider some specific characteristics of private sector data collection:

First, private sector collection of data is, at some point, collected directly from the individual citizen, or customer. There are, of course, downstream companies that obtain data, or third-party vendors. But when we provide data to private sector entities early on in the process, we do so voluntarily—at least, voluntarily in the most generous sense of the term. We do so out of convenience, to obtain services, or because our participation in some activity or community requires that we participate. Who hasn’t been, in essence, forced to sign up for some electronic sign-up sheet, invitation service, communication app, social media platform, or rideshare—just to be able to participate in a work or community event? At this point, our choice to provide our personal information is both voluntary and not voluntary.

On the other hand, government acquisition of digital data often is conducted through a third party—like a communications provider or similar Internet platform—pursuant to legal process. Although companies have been criticized for complying with government requests for data, companies as intermediaries can be viewed as a protective feature. While we are in the midst of a potential modernization of the legal standards that should be used to obtain data from third parties, the use of legal process and the filter that those private sector intermediaries provide a buffer between the companies’ retention of information and the government’s ability to get it. Communications companies and other technology companies that provide services through apps and other digital platforms have legal offices, compliance offices and law enforcement response protocols, along with personnel whose job it is to work on a day to day basis to ensure that the government’s requests are lawful and appropriate.

Second, the standards that apply to private companies to protect data are inconsistent. While private companies maintain voluntary standards and risk frameworks, application of these standards is not mandated by law. Data breach laws and other liability risks might provide some deterrent, but they are weaker sauce than up-front legal requirements.

Third, data in the possession of private entities can be moved—or located in countries with lower legal standards for government access. Customers may or may not know where their data is located and what standards apply for government access, provision to other entities, or security requirements.

With data collected by the U.S. government, we can reasonably assume that it will be retained domestically on government-controlled systems. While there is information sharing with international national security partners, that sharing takes place according to procedures or rules that have been worked out ahead of time.

Fourth, data is for sale. This is self-evident. Indeed, consultants recommend that businesses treat data as a competitive advantage. There is no way to paint all companies with a broad brush on selling data, as each company in this space operates differently. Some companies sell data directly to other entities, companies like Facebook and Google have maintained that they do not sell user data outright. Depending on the applicable business model, however, companies do sell access to their user’s eyeballs. When, during a congressional hearing, Mark Zuckerberg was asked by Sen. Orrin Hatch how Facebook sustains its business model while remaining free to users, the Facebook CEO’s response was as straightforward as can be: “Senator, we run ads.”

This same financial incentive for selling data outright or selling access to users as it applies to the private sector is not similarly applicable to data retained by the federal government. To date, systematic programs of the federal government selling citizens’ collected data have not come to light, if they exist. But there have been reports of state governments exposed as having been selling citizens’ data—an issue that requires further scrutiny.

3. What has the Russia investigation Revealed About Risks Inherent in Mass Private Data Collection?

Although the Senate Select Committee on Intelligence (SSCI) and special counsel investigations are not yet complete, we know enough already about Russia’s interference in the 2016 election to understand that data collected from private companies and organizations can be accessed, exposed and potentially misused in a way that is harmful to the country’s institutional stability. At the very least, it misuse sows distrust and confusion. At worst, it shreds the institutional and societal fabric that holds the country together.

Among the many lessons of the Russia investigation may be that there is a more substantial national security issue than previously considered, posed by the collection and use of individual’s data, and data about individuals, collected and retained by social media and other technology companies. This includes the downstream access to this data by foreign intelligence services or their surrogates.

So far, the Russia investigation has produced the following examples of how Americans’ online presence and digital data was accessed, compromised, used or manipulated in the course of efforts to manipulate the 2016 election. These are not exhaustive, but are illustrative:

• Communications, including emails, of the Democratic National Committee were hacked and released publicly via WikiLeaks.
• Emails of additional high-profile individuals were publicly released by D.C. Leaks and Guccifer 2.0, who is believed to be affiliated with Russian intelligence.
• Facebook has identified accounts associated with APT28—a group linked to the Russian intelligence services—that took part in malicious cyber activity on the platform that targeted employees of U.S. political parties^.
• Facebook also determined that over 29 million users were exposed to information in their news feed from the Internet Research Agency, the Russian government-sponsored organization indicted in federal court for, among other charges, conspiracy to defraud the United States.
• Twitter reported that in one day, it detected close to half a million suspicious log-ins. This was revealed through new processes that Twitter has implemented as a result of election inquiries exposing how the automated use of Twitter has been manipulated, and to better identify suspicious accounts and activity.
• The use of our online data for political purposes is not limited to any one company. Cambridge Analytica obtained access to over 50 million Facebook accounts on behalf of the Trump campaign, for political advertising purposes. Google played an important role in the Obama campaign.

On one hand, use of this data for domestic political purposes may make perfect sense as a 21st century expression of democracy. But what if that same data is obtained or manipulated, or its users are targeted, as a foreign intelligence operation? At that point, we have a national security problem.

As Clint Watts—a former FBI agent and leading authority on Russian active measures—explained in testimony before the Senate intelligence committee, Russia’s goal is to “topple democracies.” And in order to do that, the Kremlin is using Americans’ own information and technologies that the United States has popularized.

Pierre Omidyar, eBay’s founder, has put it another way, writing in the Washington Post last year that “the monetization and manipulation of information is swiftly tearing us apart.” Many of the most-affected technology companies in the Russian influence matter—and other companies and organizations that are aware of the nation-state cybersecurity threat—have taken voluntary steps to mitigate the risks to data and users. But again, all of these acts are voluntary. That voluntariness may not adequately address the threat.

While the federal government is no model of data protection, the government is applying some pre-existing mechanisms to address state-sponsored cyberattacks. Consider, for example, the government’s use of criminal prosecution as a means of providing accountability to Chinese government actors for economic espionage. But the Chinese cases allege a different type of activity than what the public record tells us about the purpose of the Russian influence activities. Another government response available to cyberattacks from nation states is available in the military context—but that type of response requires certain legal and policy thresholds to be met, which are lacking here.

In the civilian space, the government does have at least one structured way of evaluating the national security implications of private sector activities: the process by which the Committee on Foreign Investment in the United States (CFIUS) reviews mergers and acquisitions for national security consequences. In most cases, CFIUS reviews a proposed activity and approves it. But in some cases, CFIUS reviews a proposed activity and recommends modifications—or recommends that the activity not progress at all. In other words, the proposed activity—a wholly private sector transaction—is reviewed for national-security consequences in advance, because Americans collectively recognize that a threat exists and needs to be mitigated.

CFIUS is just one example, and it is not a model that has been replicated in other contexts. But it is a useful illustration, to point out that, today, we have no similar framework for even thinking about how to evaluate private sector data collection activities from a national security perspective.

4. Expanding the National Security Conversation Regarding Data Collection & Practices

National security issues are defined by their how they have the potential to affect American institutions, freedoms, communities—overall, our way of life. Setting aside whether there was knowing involvement by Americans in the Russian effort to influence the election, there is no disputing the existence of a Russian influence campaign intended to affect our democratic elections—or that the actors involved stole, accessed or used communications and other digital data available through a variety of sources to implement their plan. This effort was carried out, in some part, by the acquisition of data or access to users available via private sector digital platforms. The hearings into Russian interference so far have properly asked what more companies can do to mitigate the activities of hostile nation states for the data they have already collected. But there also seems space here to ask whether there is a greater role for government, in the civilian arena, than to merely ask the companies to do more.