Congress Surveillance & Privacy

Lawfare Daily: Justin Sherman on the Benefits and Limits of a New Law Governing Data Brokers

Stephanie Pell, Justin Sherman, Jen Patja
Monday, April 29, 2024, 8:00 AM
What is in the data broker bill passed by Congress? 

Published by The Lawfare Institute
in Cooperation With
Brookings

On March 20, the House of Representatives passed the Protecting Americans’ Data From Foreign Adversaries Act. The House bill was passed by the Senate on April 23 as part of the larger foreign aid package, which President Biden signed into law on April 24.

Lawfare Senior Editor Stephanie Pell sat down with Justin Sherman, Senior Fellow at Duke University’s Sanford School of Public Policy, to talk about the benefits and limits of the new legislation, now law. They talked about the path that led to the bill’s passage in both the House and Senate, similarities and differences between this new legislation and a recent Executive Order focusing on the preventing the sale of American’s bulk sensitive personal data, and some ways the new law could be improved. 

To receive ad-free podcasts, become a Lawfare Material Supporter at www.patreon.com/lawfare. You can also support Lawfare by making a one-time donation at https://givebutter.com/c/trumptrials.

Click the button below to view a transcript of this podcast. Please note that the transcript was auto-generated and may contain errors.

 

Transcript

[Audio Excerpt]

Justin Sherman

I think that's a weakness of this bill, which is also a weakness of many other bills and approaches to data brokers, is carving out those first parties. And that creates a gap in the national security context because then a foreign actor could approach a first party location data app or anything else and simply purchase the information from there.

Stephanie Pell

It's the Lawfare Podcast. I'm Stephanie Pell, Senior Editor at Lawfare, with Justin Sherman, Senior Fellow at Duke University Sanford School of Public Policy.

Justin Sherman

They were taking this sensitive information, including about kids, and sharing it. I think that's a great example of why, when you have these limitations on percent of revenue, or first-, third-party, you completely ignore activity that's happening that's really, really concerning. And in fact, might be the most concerning, because they're getting data directly from people.

[Main Podcast]

Stephanie Pell

Today, we're talking about the benefits and limits of a new law governing data brokers.

Justin, you're back to talk about Congress's ongoing efforts to regulate the data broker ecosystem. And this time there has been a significant development. Can you start off by bringing us up to speed? What has happened in Congress?

Justin Sherman

Yeah, we do have an interesting development. Usually I feel like we end these episodes by asking what should Congress do and now we're opening with Congress having done something. So just last night, the Senate passed a foreign aid package that has a bunch of different elements in it, including several foreign aid expenditures, including a bill related to TikTok. In this context, when talking about data brokers, it also included a bill that the House had written, essentially attempting to limit the personal data about Americans that third-party data brokers, these companies that buy and sell people's data, limiting the data about Americans that those companies can sell to foreign countries, specifically entities in China, Russia, North Korea, and Iran. And this was, as we'll, I'm sure, get into, legislation that has been talked about for a little while, and there was some separate movement in the House around it. But now that it's been attached to this aid package, It has moved through the Senate as of last night. And when I say last night, this is, this would be Tuesday, April 23rd is when the Senate passed this package.

Stephanie Pell

And to be clear, when we are talking about data brokers and the data broker ecosystem, can you tell us who some of the players are? As we know, this bill is focusing on preventing the sale of Americans’ data to certain countries that we will discuss. But give us a little background about the data broker ecosystem and who the various players are.

Justin Sherman

There are thousands of data brokers in the United States. It's a multibillion-dollar industry. It's also a global industry. There's a large data brokerage ecosystem in India and in Singapore and in the EU and elsewhere, slowly growing one in China, which is interesting. And so, in the U.S., there are a wide range of companies involved in this business practice of selling data. This ranges from large, publicly traded companies like Oracle, which has a cloud business and software businesses. It also has a data sale business. This includes the large credit reporting agencies, Equifax, Experian, TransUnion. It includes very small people-search websites. So the sort of online background check sites that often pop up when you Google a name that scrape information from public records and sell it online.

As well as, and this is important in terms of the bill, there are also a lot of companies involved in selling data that are first parties. And by that, I mean they're the companies we directly interact with. So this might be a mobile app that sells people's location data. This might be a telehealth service that sells information about people's access to prescription medications. And so it's a pretty wide-ranging ecosystem in the U.S. And as we just noted, there are a wide range of players from large companies to small ones, from specialized companies to companies that sell all kinds of data. And it really varies in terms of whether they make all of their money from selling data, which some do, or whether they sell data on the side to supplement their revenue.

Stephanie Pell

And before we delve into the substance of the legislation, as you noted, this was a bill that started on the House side and passed as a standalone bill. And as I understand it, the vote was 414 to 0. What do you make of that?

Justin Sherman

Yeah, it was 414 to 0, which is quite notable, of course, that there was, I would say, a lot of consensus, but clearly just consensus that this is legislation that needed to be passed. In terms of the context of how this happened, we can't really talk about this particular bill without also talking about the TikTok bill. We're not going to get too much, I know, into the TikTok bill here. And there are some great recent pieces on Lawfare folks have written. So go read those about the TikTok bill.

But I mentioned the TikTok bill because that's what spurred the authorship of this legislation, was there had been discussion in the House for a long time, of course, about TikTok. And then recently, with the introduction of a bill basically saying ByteDance has to sell TikTok to a U.S. owner or the app stores have to block it. As that was being debated and as folks were trying to get the number of votes they needed to get that through the House, some members of Congress and their staff rightfully asked, what about data brokers and what about the rest of our data ecosystem? Like, okay, we can hear you out that maybe there are some concerns from folks about certain things with TikTok. What about the fact that we don't have a comprehensive set of privacy regulations in the U.S.? What about the fact that a foreign actor could approach a data broker and buy 200 million Americans’ location data or a bunch of people's health conditions with no restriction? That seems to be a gap as well.

And that's what spurred the authorship of bill, is the committee said, okay we're going to then create a second bill that would address some of those, or attempt to address, I'll say some of those other concerns, and we'll also introduce it along with the TikTok bill. And so, after the TikTok vote happened, and the TikTok bill passed the House, the House then voted on this legislation dubbed the Protecting Americans’ Data from Foreign Adversaries Act. Someone can figure out what that acronym is. But so, that this was voted on after the TikTok bill.

So all to say, that's what I think of it, is I'm glad that Congress is paying more attention, which it certainly is, to consumer privacy. But I would say we can't talk about how it had a 414 to 0 vote without seeing the TikTok context and the point that if we're going to focus on one app, we should also make sure we have good data privacy controls in some other areas.

Stephanie Pell

So then, what is this legislation attempting to do, and how is it attempting to achieve its goals?

Justin Sherman

The central concern is that we have very few regulations whatsoever on this practice of buying and selling data in the U.S. For example, as long as you're not doing it in a way that's defined as deceptive legally, there's no restrictions on selling people's geolocation data whatsoever. You can sell massive heat maps of people's real time locations. There's no issue there. Similarly with health data, we assume that a lot of health data would be protected, when in fact, for example, pharmacies are permitted to sell people's prescription purchase information under a ridiculous corporate free speech decision.

So all to say, there was concern that this is a privacy issue domestically. And certainly, we've talked about that on past podcasts. But this is also a national security issue if you particularly think about how could a foreign actor approach these companies and purchase information from them, say about people who live in the Washington D.C. area and their debt and their propensity for gambling, which is stuff you can go buy. I've bought stuff like this before. That could also include location data around sensitive government buildings. So there was generally a concern that there's a national security risk here and we need to do something about it.

So what the legislation attempts to do is say, third-party data brokers—so not those first parties, not mobile apps and not your telehealth provider—but third-party companies that collect American sensitive data and sensitive data in this legislation draws on ADPA, the comprehensive privacy bill from last Congress.

Stephanie Pell

That never passed.

Justin Sherman

That never passed. But it's references some of that other work, which I think is good. But so it says certain third-party data brokers cannot sell those categories of sensitive data on Americans to individuals in, as I had alluded to, four countries, North Korea, China, Russia, and Iran, as well as to any entities headquartered in those countries or otherwise controlled by those countries.

So, hence, for instance, if there was a Chinese technology company that had most of its operations in Latin America, that could still be covered because of where the company's headquartered, right? So that's the general thrust of the bill is to say, we want to create some prohibitions on these companies selling sensitive data on Americans to certain foreign countries. And who's in charge of enforcing that? That is the Federal Trade Commission. And they're going to make sure that they are investigating if any companies are violating this law.

Stephanie Pell

And we're going to talk more about this enforcement mechanism and the pros and cons of leaving it to the FTC. But I also think it's worth noting that the Biden administration recently issued an executive order that is also focused on preventing the sale of Americans’ bulk sensitive data to certain adversary countries. How would you compare this legislation to that executive order?

Justin Sherman

Yeah. The executive order is very significant in this area. As you said, it was also signed recently. So this is quite interesting timing that we've had the executive order, then we've had this. And I should also say, I consult for the Justice Department, as a disclaimer. These are, of course, my personal views I'm saying here, but just to say I have also helped with the executive order a bit, in full disclosure.

But the executive order, I think, attempts to do something very similar to the bill in the general sense that they're both concerned about this national security risk associated with a foreign actor potentially approaching a data broker and buying a bunch of information that, again, could be used in a national security context. So not thinking about broader privacy, not thinking about algorithmic targeting outside of national security. Specifically thinking about examples like I mentioned, where you can get access to non-public commercial data on things like debt that could be useful to try and recruit a spy or something like that.

But what the executive order does is it says that right now, in the proposed regulations, this is still ongoing, is a little bit different from the bill in that it targets third-party and first-party sale of data. So that's one big difference, is it says it's not just a third-party credit reporting agency or a third-party data broker that would have restrictions on its sale of data overseas. It's actually anyone who's selling data, or even “bulk transferring” is the term they use, data. And so that would include things like a mobile app selling people's geolocation data. That would be under the scope of the regulations right now from the executive order. It would not be under scope of the bill. So that's one big difference.

The second big difference is that the executive order focuses specifically on data about government personnel and data of certain types over a certain threshold. What do I mean by that? There's two categories. So one is if data is related in some significant way to a current U.S. government employee, then that is going to be restricted, whether that's financial information or health data or other categories under the executive order. The second bucket is it's not specifically related to government personnel or contractors or military service members, but it's sensitive information about Americans where the data set is large enough to pose a risk. So what the executive order regulations are going to do is basically pick a number and say, maybe, for example, if you sell location data on over 100,000 Americans, that's automatically restricted. Or if you sell genomic data on over a thousand people, that's automatically restricted. That's the second big difference, is the executive order has some bounds on dataset size and types of data a little bit more narrowly than the bill does, which is saying, you can't sell this data on Americans broadly. So those are two differences, right? We have the first- and third-party data broker definitions. We have the thresholds restrictions versus don't sell data on all Americans.

And the third big difference I'd point out is related to enforcement. And so, the reason I mentioned the Justice Department is that the executive order is giving the Justice Department the authority to monitor data broker activities or audit data broker activities to make sure that they're complying with the order and not selling data to individuals in the covered countries, which also under the executive order include, tentatively, Cuba and Venezuela. So the DOJ is in charge of it. It's very export control-like, where companies have to keep track of who they're selling to. Their reporting requirements proposed the DOJ can determine in each case if a company made a reasonable effort to not sell to someone. So it's very similar to if you think of OFAC and sanctions and export controls and all of that, versus, as we mentioned, the bill gives the authority to the FTC.

So that was a lot, but across those three areas, I think, the first and third party, the definition difference, the difference in data scope is important. And then that third piece, right? One is a very national security enforcement-style regime from the Justice Department. The other one is coming from the FTC, which of course, historically focused on consumer privacy.

Stephanie Pell

Given those differences, it sounds like you are suggesting that both efforts are welcome and needed.

Justin Sherman

I think both efforts absolutely are welcome and needed. And again with both, you can get into what are the pros and cons of each approach. And for instance, there are downsides to having thresholds. You can't fully address the national security risks without a comprehensive approach, and we can get more into the bill, too. So overall, absolutely needed. I'm thrilled that the executive branch is focused on these issues. I'm thrilled that Congress is trying to, at least, take a little step forward on these problems. The questions again, come back to implementation scope and what else do we need to do because it's such a wide and unregulated ecosystem to make sure that these risks are accounted for.

Stephanie Pell

Taking into account all those positive aspects of these efforts, you wrote a piece in Lawfare at the time that the House built, before it went over to the Senate, where you identified some key problems or gaps. And one of those issues stems from how the bill then and now the legislation that has passed through the Senate defines the term “data broker.” Can you talk about that and what some of the implications are for the way the data broker definition is limited?

Justin Sherman

The bill takes an approach to defining a data broker that is unsurprising given how a lot of bills and some state laws have defined a data broker, but it's also a weak definition. And this is what I had alluded to around a first party versus a third party. So again, just to be clear about this, by first party, I mean a company or organization you directly interact with. So this could be everything from Facebook or Google if you use their apps or websites to a telehealth provider to a mobile app you have in your phone. Even something maybe as back of mind for privacy discussion these days as a local restaurant website where you order a pizza. So anyone you're interacting with directly that's gathering data about you. But the direct relationship is the important piece.

Versus a third party where it doesn't mean they don't collect data about you. It doesn't mean that they don't make decisions that impact you. It just means you don't directly interact with that company. And this is a lot of data brokers, right? Axiom, for example, is one of the largest data brokers in the world, has hundreds or thousands of data points on billions of people, which is an extraordinary amount of data. And most people have never heard of Axiom in their life, and they're not going on the Axiom website, and they're not buying Axiom merch, or I don't even know if that exists. But they don't have that direct business relationship with the company. And so, that's a debate in this area is how do you define a data broker? This bill defines it as third parties. Some other state laws like in Vermont or Oregon define it as a third party.

But what I always say is there's a real problem with that, which is you're focused on the entity and not the activity. So you're focused on the entity of what is a “data broker,” quote unquote, rather than what you're really concerned about, which is the activity of selling data. And this matters because a lot of those first parties, as I mentioned, also sell data. There are lots of telehealth companies and mental health apps that sell data about people's activity. There would not really be a market, a multibillion-dollar market, for people's phone location data if it was not for mobile apps. There are at least hundreds, if not thousands, of mobile apps that sell users location data. So you use the app, they're a first party to you. You may have some understanding that they're collecting your location data, you also probably have some expectations around that. And then they can go and sell that information.

So, all to say, I think that's a weakness of this bill, which is also a weakness of many other bills and approaches to data brokers, is carving out those first parties. And that creates a gap in the national security context, because then a foreign actor could approach a first party location data app or anything else and simply purchase the information from there.

Stephanie Pell

As I understand it, the executive order is different in that way, in that it focuses on the data transactions so that those first parties you mentioned would be governed by the EO and the DOJ has a rulemaking process that is going forward.

Justin Sherman

That's correct. And the comment period on the notice of proposed rulemaking closed recently. And as you said, yes, of course, this is ongoing and there will be many more iterations and opportunities for the public to comment. I would encourage any listeners with thoughts about this to provide comments to the Justice Department. But that's essentially the view, right?

As you said, that we're not concerned about, is this entity a data broker and how much percent of revenue do they make from data sale? That's not the concern. The perspective I think is we're concerned about the national security risk. And for that reason, we're just concerned about the end outcome, which is someone getting access to this highly sensitive bulk data on U.S. persons and using it to harm national security. So, it really is that activity that's the focus of the proposed regulations. And again, not getting into a back and forth about which entities are our first parties or third parties, or do they make enough money to be qualified as a data broker? And instead just focused on, are you selling data? As I often say, if you broker data, you're a data broker or you're engaged in data brokerage, right? And so it's focused on that activity.

I will say this also, as I wrote in the article, it leads to an irony with the legislation, which is because of the third party limit in the House's data broker bill that's now passed the Senate aid package, I pointed out that the TikTok bill could pass and become law, and this data broker bill could pass and become law, and it would still be legal for TikTok to directly sell U.S. person's data to a foreign actor.

Stephanie Pell

Because they are a first party?

Justin Sherman

Because they're a first party.

Stephanie Pell

Under the bill?

Justin Sherman

Under the House bill, yep. Because they have a direct business relationship with their 150 million-plus customers. Selling data about those customers would not make them a data broker because they're a first party. It doesn't matter what they do with the data. This is again, the problem with the entity approach. Because they're a first party, it doesn't matter what they do with the data, they're not going to be covered. This has not been lost on other folks. There are plenty of other folks in this area who've made the same point. But I did notice that immediately that you do realize there is a big gap here if we're collectively concerned about potential Chinese government access to U.S. data that you could pass both of these pieces of legislation and the end result could still be TikTok being permitted to sell data to foreign governments.

Stephanie Pell

So the bill also has a definition of sensitive data that appears to be drawn again from other legislation. Can you talk about that definition and what benefits it may bring?

Justin Sherman

Absolutely. So ADPA, the American Data Privacy Protection Act, as I had mentioned, was the quote unquote “comprehensive privacy legislation” that was proposed in the last Congress not passed. But the reason we mentioned this is because this was a significant piece of legislation. There was a lot of work that went into it. There were many iterations of it. And a lot of folks in the privacy community spent a lot of time working on and trying to improve the different definitions and provisions in that bill. And so, I do think it's a good thing that when the House was writing this data broker bill, they looked to ADPA for definitions of sensitive data. And so, in this particular case, with both bills, but the data broker bill includes, under sensitive data: government-issued identifiers, so a social security number, a passport number, and so on; information about past, present, or future health conditions or treatments; numbers from people's financial accounts or credit cards; biometric and genetic data; precise geolocation information, and some other data types.

It also has language in ADPA that was also included in this House bill related to inference. So if you make a prediction about a piece of information or infer a piece of information that wasn't directly gathered, that could still be covered. And that's important because you could say, and data brokers say this frequently, oh we're not selling data about people who are suffering from depression, we would never do that. We're selling lists of people with a demonstrated interest in purchasing antidepressant prescriptions. This is a real example. So you get these like sort of semantic gymnastics where companies are trying to maybe skirt saying that they collect a certain type of data. And then there's also just the fact that you can infer a lot of health data and other things from location information and so on. So, I'll just say, I think that's a good definition that the bill uses for sensitive data.

And this is another point some folks have made about why having this bill pass could be significant, is you then get that definition of sensitive data into federal law. And so, then hopefully the idea is next time someone writes a new bill or there's a new comprehensive privacy debate, we already at least have that reference point in federal law. So that could be a really interesting way beyond the data brokers element of having this bill as part of the aid package that has now gone off to President Biden for signature.

Stephanie Pell

So in contrast to that very positive development or element of the legislation, you do, in your Lawfare article, identify some other issues of concern, with the understanding that you are not trying to let the perfect be the enemy of the good. But you do note that the legislation fails to mention or address situations where third-party countries could be used as intermediaries for countries that the legislation is targeting, i.e., trying to prevent the purchase of Americans’ data. Can you talk a bit about that?

Justin Sherman

I appreciate you mentioning the perfect, not the enemy of the good piece. I certainly don't want it to come off that way, and I don't think that way. You can't expect a perfect congressional bill. That, that doesn't exist, right?

But just to frame it, and then I'll get into specifically your question, the way I think about this is you shouldn't make the perfect the enemy of the good. At the same time, this is a problem where—by problem, I mean the privacy and safety and security risks from data brokerage. This is a problem set where the real solution lies with legislation. It lies with new laws. The FTC does some stuff. That's great. Now the DOJ is doing some stuff. That's great. Some states have done stuff. That's great. The real solution is going to come from new laws. And so that's one of the lenses through which I looked at this bill, was to say, we really have a need for new, strong legislation. Is this bill taking us in that direction or is it doing, is it falling short of that? And the third-country piece you mentioned is one of my concerns.

Let's talk about the executive order as a good point of contrast. So the executive order has some restrictions around companies selling data to entities in China, and Russia and Iran and North Korea and Cuba and Venezuela. And, as some folks have pointed out there’s a gap there. Because it doesn't say what about a front company the Russians set up in Germany? Or what about selling data to an intermediary in Brazil that then sells it again, completely independently, to someone in China? You have this, as you said, quote unquote, “third-country problem” where they can be an intermediary for data sale.

So this is a great example of why I have some issues with the bill, is the executive branch has limits in what it can do there. Because the executive branch can't say, oh you can't sell Americans bulk geolocation data to anybody outside of the United States because that's exceeding the bounds of law. The executive branch is drawing on the International Emergency Economic Powers Act and sanctions authorities and others to do this order. It doesn't have the authority to say, you can't sell Americans data to 190 whatever countries, or you can't sell it to these continents. That's the kind of thing where Congress would need to step in. So that's one area where I looked at the bill and said, okay, I understand what they're trying to do. I appreciate the effort. This hopefully could make some marginal improvement on the status quo, but Congress is the one that really needs to be saying, let's put provisions in here about third countries. Congress is really the one that needs to say. If we're creating a new law, why don't we make sure it's meaningfully better and more impactful than what's already in law? So this is one example of an issue I had with the bill is the third-country piece, but it's within that broader umbrella of yes, we should push for improvements. We should not make the perfect the enemy of the good, but we do need to have Congress do its job and go further than the existing law already does.

Stephanie Pell

You also raised some concerns with the bill's enforcement regime, which puts everything in the hands of the FTC. I know you are a fan of the FTC's work, so what are your concerns with making the FTC sort of the sole enforcement authority here?

Justin Sherman

I'd say there's two buckets of concerns. And yes, I would describe myself as someone who thinks the FTC is now and has for years been doing important, legally grounded bipartisan work on privacy. I know nothing about antitrust, so I can't speak to other areas, but I'm privacy 100%.

But I have two buckets of issues here. One is specifically related to the national security framing of the bill. And I say this as someone who does work on both privacy and national security issues. I say this as someone who has been very vocal in calling out to the national security issues from data brokerage. The bill takes a national security frame, of course, to the problem and looks at the issue of possible sale to foreign actors. It then also leaves the FTC responsible for enforcing it. And one of the issues I point out is the FTC has a lot of deep experts on ad tech, on data brokers, on privacy. So that's good. And they very much know how to go in and do audits and look at company controls and is data anonymized properly and this and that. But they're not a national security focused agency. That's not their specialty. There are, I think right now, maybe, and I cite this in the piece, this is public, three or four people in the entire commission that have security clearances. This is not an organization that's set up to do things like, here's a front company that's been set up by the Chinese government to acquire data. Where is it based? Oh, we found this out because of XYZ intelligence. How do we prevent that without disclose? We can get into all the potential complexities of those kinds of scenarios, but they're just not set up to do that kind of national security approach.

So that's one area in which I said, okay, we get a bit circular because it's a national security framing. It's about a data privacy issue. So because it's a data privacy issue, the natural and generally correct inclination is to give the authority to the FTC, but then the FTC is not a national security organization. So we go back to, you would need to give the FTC broader privacy authority for data brokers. So that's sort of one issue I think is just this agency being set up to have the capacity to specifically do the national security piece. Again, they're very deep experts on privacy, but on national security specifically, the FTC is not the place that's doing all the stuff.

And the second bucket of issues I have with giving it to the FTC comes back to funding. And as I and others have said many times, the FTC's entire team of privacy lawyers in their privacy division is about 40 people, 40-45 people, doing privacy enforcement for hundreds of millions of Americans. So already, their case output is staggering. They don't sleep or something. I'm not really sure. They do a lot of work with very few resources. And so there's often this thing that happens in Congress, I think, where folks go, oh we'll just have the FTC do it. With what money? With what additional resources? With what timeline?

Because timeline's another piece. There have been discussions of a comprehensive privacy bill completely separately recently where people are talking about, oh, we're going to have the FTC hire hundreds of people to augment their privacy work and get going in a year. And anyone who's listening who has worked there or worked in these areas, you know that's not a realistic timeline for a government organization to go from 40 people to 300 people and scale up and start doing enforcement. So again, it's a good effort from Congress to address this problem. I just think the second piece of the FTC challenge here is you can't be giving the FTC—I mean you can, but you shouldn't—give the FTC more and more authority and responsibility without a similar increase in funding and personnel and capacity to take on that additional casework.

Stephanie Pell

So some of this has come out in the discussion so far, but if you could have had a magic wand when the House bill went over to the Senate, and use that wand, let's say, to make two changes to the bill i.e., and the Senate would amend them in that way. What would your choices be?

Justin Sherman

My choices would be change the definition. I actually would prefer the bill not even use the phrase “data broker.” I would prefer the term “data brokerage” or “broking” or whatever, right? Talk about the activity and not the entity. So don't get into the first, third party thing. Don't also get into this conversation about they have to make a significant percentage of revenue from selling data, which I also think is ridiculous.

A great example of this is Life360. Life360 is a quote unquote “family safety” app where parents can put the app on their kids’ phones, watch their locations, and check in on them. The Markup did a story a couple of years ago that revealed that Life360 was secretly selling parents’ and also children's location data to third parties. They were not making most of their revenue from doing that, but they were taking this sensitive information, including about kids, and sharing it. So I think that's a great example of why when you have these limitations on percent of revenue or first, third party, you completely ignore activity that's happening that's really concerning. And in fact, might be the most concerning because they're getting data directly from people. If I had one recommendation, too late now, but it would have been, change that definition in there.

And then the second thing is just general, which is make sure you're giving the FTC more funding. If you're going to give the FTC this authority, which now seems incredibly likely, to be signed by the president and then put into law, make sure you're giving the FTC more resources for their privacy team. And I've said this before, I understand that there are different disputes, including partisan or political disputes about the FTC's antitrust activity. Again, I'm not an antitrust expert. I do not have an opinion on that. But when it comes to privacy, it's been bipartisan work for years. They need more funding.

Stephanie Pell

So I'd like to ask you just to reflect now. Having given us the pros and cons of this particular piece of legislation, can you reflect on the significance though, that it looks like we're going to have legislation that begins to regulate the data broker ecosystem on a federal level.

Justin Sherman

I'm glad to see the attention to it. Again, it's not standalone, right? And even though these other things I'm going to mention either have not been introduced yet or are unlikely to be passed or are not yet passed, there's this legislation that now has passed the Senate that is hugely significant. There has also been a lot of debate about the Fourth Amendment Is Not For Sale Act and about the U.S. government purchasing data from data brokers without warrants or court orders. There's been a lot of discussion about data brokers in relation to the American Privacy Rights Act, the new discussion draft privacy package in Congress. So this topic of data brokers has been coming up more and more on the Hill. And yeah, I do think it's a significant moment that this is going to be passed into law. I think it reflects a clear bipartisan consensus that these activities are concerning.

And again, when you have companies that are not—it's not that they're using the data internally for their own business purposes. For instance, these are companies who are selling data and sometimes without controls, oftentimes very sensitive data. And they might do it for marketing, they might do it for something else, or there's various arguments, dubious or otherwise, about fraud prevention. So it really just shows there's more attention to data brokers as an issue. And so I hope that, rather than see this as quote unquote “the solution,” which it absolutely is not, and I think the authors of the legislation would be the first to say that we can see this as an important step in continuing to try and fight for better comprehensive privacy protections for Americans.

Stephanie Pell

And since you mentioned the Fourth Amendment Is Not For Sale Act, I think it's an interesting, companion or other side of the coin to this legislation. And it appeared, at least for a time, to potentially be on a path for passage. It got caught up in the FISA Section 702 reauthorization process. Can you share your thoughts on the Fourth Amendment Is Not For Sale Act and how it may relate to the legislation that now looks like it will become law?

Justin Sherman

I don't want to say it's the other way, or the flip side of the issue, but it is a flip side of the issue, right? Rather than, okay, we're concerned about what are the national security risks to the U.S. of a foreign government acquiring bulk data or buying data from data brokers, what are the domestic privacy, civil rights, civil liberties, freedoms, security issues, and concerns with the U.S. government purchasing data from data brokers? And the Fourth Amendment Is Not For Sale Act has also been part of the Section 702 and FISA debates on the Hill. It's a lot of different issues have gotten pulled into that debate about U.S. government surveillance activities, data protections for Americans.

But at a high level, I am a big fan of the Fourth Amendment Is Not For Sale Act. I think that of course law enforcement is going to say that it adds value to them to purchase geolocation data without a warrant or to quickly be able to go into a system like Thomson Reuters Clear or LexisNexis, which are big data broker repositories of people's information, and look people up and figure out where they live and make connections and try and hunt suspects. And of course law enforcement is going to say that. I don't think that's the point, right? The point is not, does purchasing information without going through a legal process provide value to law enforcement? The question is, should you be doing this in a country where there are strong principles around having restrictions on law enforcement's ability to surveil Americans?

And I say this is not a lawyer. I understand there's all kinds of arguments about the Fourth Amendment and technically is it being violated here or not? And how does Carpenter fit in and all kinds of legal issues. And there are some great papers out there. Folks should go read about that. But yeah, at a high level, I'd say, look, if we have protections in place for accessing this data, otherwise, you should not, as a law enforcement agency, be able to go buy 100 million Americans’ phone location data, not tell anyone and not need a warrant. I just think that's very problematic. Different pieces of legislation. But again, I think drawing attention to this issue of data sale and important concerns around it.

Stephanie Pell

Anything else you'd like to share with our listeners?

Justin Sherman

Just reiterating the two things I mentioned, right? One is that the executive order rulemaking process is ongoing. So the first window just ended, but there will be more windows for the public. That could be a private citizen listening, a company, a trade group, a think tank to submit comments on the proposed regulations. I highly encourage folks to do so. And I say that in my personal capacity, right? That's just always an important thing, I think if people have thoughts on these things to submit comments. And the second thing is, as we said, now this bill is probably, this aid package is off to, I assume, be signed into law. This is a big moment for a step on data brokers. And also the TikTok bill is a piece of this. And I know we haven't talked about that today, but that's also obviously a huge tech policy and cybersecurity development. It would be remiss to not mention that as well. We'll see what happens in the coming months.

Stephanie Pell

We'll have to leave it there for today. Thank you so much for joining me.

Justin Sherman

Thanks for having me.

Stephanie Pell

The Lawfare Podcast is produced in cooperation with the Brookings Institution. You can get ad-free versions of this and other Lawfare podcasts by becoming a Lawfare material supporter through our website, lawfaremedia.org/support. You'll also get access to special events and other content available only to our supporters. Please rate and review us wherever you get your podcasts.

Look out for our other podcasts, including Rational Security, Chatter, Allies, and The Aftermath, our latest Lawfare Presents podcast series on the government's response to January 6th. Check out our written work at lawfaremedia.org.

The podcast is edited by Jen Patja and your audio engineer this episode was Noam Osband of Goat Rodeo. Our theme song is from Alibi Music. As always, thank you for listening.


Stephanie Pell is a Fellow in Governance Studies at the Brookings Institution and a Senior Editor at Lawfare. Prior to joining Brookings, she was an Associate Professor and Cyber Ethics Fellow at West Point’s Army Cyber Institute, with a joint appointment to the Department of English and Philosophy. Prior to joining West Point’s faculty, Stephanie served as a Majority Counsel to the House Judiciary Committee. She was also a federal prosecutor for over fourteen years, working as a Senior Counsel to the Deputy Attorney General, as a Counsel to the Assistant Attorney General of the National Security Division, and as an Assistant U.S. Attorney in the U.S. Attorney’s Office for the Southern District of Florida.
Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; a senior fellow at Duke University’s Sanford School of Public Policy, where he runs its research project on data brokerage; and a nonresident fellow at the Atlantic Council.
Jen Patja is the editor and producer of the Lawfare Podcast and Rational Security. She currently serves as the Co-Executive Director of Virginia Civics, a nonprofit organization that empowers the next generation of leaders in Virginia by promoting constitutional literacy, critical thinking, and civic engagement. She is the former Deputy Director of the Robert H. Smith Center for the Constitution at James Madison's Montpelier and has been a freelance editor for over 20 years.

Subscribe to Lawfare