Cybersecurity & Tech Executive Branch

Limiting Data Broker Sales in the Name of U.S. National Security: Questions on Substance and Messaging

Peter Swire, Samm Sacks
Wednesday, February 28, 2024, 8:38 PM
A sweeping new executive order reveals a much bigger policy shift worth unpacking.
President Joe Biden (Official White House Photo by Adam Schultz, https://garystockbridge617.getarchive.net/amp/media/p20210706as-0036-51360855862-da9b8f; Public Domain)

Published by The Lawfare Institute
in Cooperation With
Brookings

A new executive order issued today contains multiple provisions, most notably limiting bulk sales of personal data to “countries of concern.” The order has admirable national security goals but quite possibly would be ineffective and may be counterproductive. There are serious questions about both the substance and the messaging of the order. 

The new order combines two attractive targets for policy action. First, in this era of bipartisan concern about China, the new order would regulate transactions specifically with “countries of concern,” notably China, but also others such as Iran and North Korea. A key rationale for the order is to prevent China from amassing sensitive information about Americans, for use in tracking and potentially manipulating military personnel, government officials, or anyone else of interest to the Chinese regime. 

Second, the order targets bulk sales, to countries of concern, of sensitive personal information by data brokers, such as genomic, biometric, and precise geolocation data. The large and growing data broker industry has come under well-deserved bipartisan scrutiny for privacy risks. Congress has held hearings and considered bills to regulate such brokers. California has created a data broker registry and last fall passed the Delete Act to enable individuals to require deletion of their personal data. In January, the Federal Trade Commission issued an order prohibiting data broker Outlogic from sharing or selling sensitive geolocation data, finding that the company had acted without customer consent, in an unfair and deceptive manner. In light of these bipartisan concerns, a new order targeting both China and data brokers has a nearly irresistible political logic.

Accurate assessment of the new order, however, requires an understanding of this order as part of a much bigger departure from the traditional U.S. support for free and open flows of data across borders. Recently, in part for national security reasons, the U.S. has withdrawn its traditional support in the World Trade Organization (WTO) for free and open data flows, and the Department of Commerce has announced a proposed rule, in the name of national security, that would regulate U.S.-based cloud providers when selling to foreign countries, including for purposes of training artificial intelligence (AI) models. We are concerned that these initiatives may not sufficiently account for the national security advantages of the long-standing U.S. position and may have negative effects on the U.S. economy.

Despite the attractiveness of the regulatory targets—data brokers and countries of concern—U.S. policymakers should be cautious as they implement this order and the other current policy changes. As discussed below, there are some possible privacy advances as data brokers have to become more careful in their sales of data, but a better path would be to ensure broader privacy and cybersecurity safeguards to better protect data and critical infrastructure systems from sophisticated cyberattacks from China and elsewhere. 

Would the Order Help National Security?

In the fact sheet announcing the order, the White House stated that “[t]he sale of Americans’ data raises significant privacy, counterintelligence, blackmail risks and other national security risks.” It is far from clear, however, that the new order will actually meet its stated national security goal of blocking adversary access to the data of Americans.

To start, the new order instructs the Department of Justice to begin an Advanced Notice of Proposed Rulemaking to limit defined transactions, for defined types of data. The defined transactions would limit “bulk” sales of data—defined in detail by the order, such as transactions of some kinds of data involving the data of 1 million individuals or more—to countries of concern. Not all categories of personally identifiable information would be covered by the order. 

Such limits, which the Justice Department fact sheet calls “targeted,” are unlikely to work against a capable and determined adversary—but more concerning, the new order, taken together with other similar administration initiatives, would create new risks to national security as the U.S. retreats from global commerce.

Recent revelations about Chinese hacking tools underscore the reach and sophistication of Chinese cyber infiltrations. For an advanced persistent threat such as the Chinese government, a regulatory approach targeted at some data sales would continue to offer numerous pathways for acquiring the data they seek. For example, the new order would apply only to bulk sales, but many small sales obviously can add up to a big total. Money laundering offers an instructive analogy here: Years of effort have gone into the detection and regulation of “structuring” transactions, to prevent the small from adding up to the big. It will be a long and uncertain path to build similar rules for data sales. 

Second, the new rule would rely on the International Emergency Economic Powers Act, which applies only to foreign activities. Sales to U.S. actors, therefore, would be outside of the new rule. A Chinese purchase, therefore, would succeed if the purchaser appears to be a U.S. entity. At least to date, there has been no mechanism for a data broker to assess whether an apparently American buyer is actually doing business with China. In addition, another difficult-to-stop loophole would involve sales to foreign entities outside of China that could then sell the data to China. The order contemplates that data brokers would need to develop a due diligence system to address these concerns.

Third, most privacy laws apply to “personally identifiable information” (PII), a broad term that includes anything linkable to an individual, often including identifiers that may be difficult to link, such as a device ID or IP address. By contrast, the rule would apply to a few categories of sensitive data, omitting even many types of data that are subject to other privacy regimes. Not only would the Chinese thus be able to purchase bulk amounts of many sorts of PII, but privacy scholars, including Daniel Solove, have become increasingly skeptical about a rule’s ability to effectively define sensitive data. Solove has recently called the sensitive data approach “a dead end” and points out that “it is easy to use nonsensitive data as a proxy for certain types of sensitive data.” 

As the term is used in cybersecurity, there are often “side channel attacks,” in which the attacker can use one type of information (the less sensitive data) to successfully gain access to the sensitive data that was supposed to be protected. For instance, the National Security Agency had its Tempest system that could reconstruct a computer screen without seeing it, by measuring its electromagnetic emissions. For data, supposedly anonymous data can often be reidentified, and supposedly nonsensitive data, as Solove notes, may often be used to gain sensitive data. Even without any direct access to medical data, for instance, any of the myriad apps that collect location data might be used to pinpoint if a woman has visited a reproductive clinic.

Fourth, the regulation would be developed and presumably enforced by an agency that has little history regulating data brokers or other commercial privacy issues. Today, outside of the rare criminal privacy case, the Department of Justice has no significant role in privacy regulation of the private sector. Congress and expert agencies have struggled to define and counter risks from the data broker sector, in part because data is used in so many different ways in different contexts, both legitimate and questionable. Commercial privacy issues are most often regulated in the U.S. by the Federal Trade Commission. By contrast, the National Security Division of the Justice Department has no “muscle memory” to rely on as it seeks to create a data broker regulatory system that would successfully close off Chinese access while creating new rules for data brokers, which state and federal regulators to date have found difficult to define and regulate.

The result of the new order may well be to create a significant new national regulatory regime, while a capable adversary such as China would still be able to access the data available within the U.S. market. 

Part of a Bigger Pattern

 

The importance of the new order is greater because the order appears to be part of a bigger shift in U.S. policy toward regulating global data flows, with potentially negative effects, including on the role that U.S.-based companies will play around the world. Understanding the national security, diplomatic, and international trade implications of the order makes sense only in the context of the historic U.S. support for open flows of data across borders.

Since the rise of the internet in the 1990s, the U.S. has supported a global trading system that authorizes privacy laws while supporting in general the cross-border flow of data for commerce, free speech, and numerous other reasons. In recent years, Japan has led an initiative among the Group of Seven countries to implement “data free flow with trust” (DFFT). One outcome, with U.S. support, has been important principles announced in 2022 by the Organization for Economic Cooperation and Development (OECD), on trusted government access to personal data held by private-sector entities. These principles highlight similar safeguards among rule-of-law democracies against unlawful government access. The World Economic Forum has analyzed DFFT, praising initiatives for proper government access while also saying governments should “prohibit requirements to localize the storage and processing of data.”

The most visible recent U.S. change in data flow policy came last fall when the U.S. removed proposals in WTO e-commerce negotiations and supported a pause in work on digital issues in the Indo-Pacific Economic Framework. For Lawfare, Nigel Cory and one of the authors (Samm Sacks) explored the implications for U.S.-China policy, and Kenneth Propp did so for the transatlantic relationship. International trade agreements allow for national security exceptions, so the Office of the U.S. Trade Representative’s (USTR’s) action was not necessary as a precondition for the new data security executive order. Yet the trade policy changes, taken together with the new executive order, now appear consistent with a broader national security strategy on the part of the Biden administration. This national security theme supplements the initial reporting on the U.S. shift on WTO policy, which highlighted support for the WTO change from progressives, such as Sen. Elizabeth Warren (D-Mass.), who have sought greater economic regulation of large tech companies. 

A second policy initiative comes in the Jan. 29 proposed rule from the Commerce Department, entitled “Infrastructure as a Service Providers’ Responsibility To Verify the Identity of Their Customers, Special Measures, and the Use of Their Products for Large AI Model Training.” The rule is designed in part to implement President Trump’s 2021 executive order designed to address “significant malicious cyber-enabled activities.” The proposed rule would impose Know Your Customer (KYC) requirements for cloud sales to non-U.S. customers, whether those customers are in allied nations or in countries of concern such as China. 

Concerns about these KYC requirements are similar to those discussed above for the order on bulk data sales—creation of a new national security regulatory regime that would apply to legitimate commercial activity while likely being ineffective against advanced nation-state attacks. The President’s National Security Telecommunications Advisory Committee (NSTAC), after hearing extensive testimony (including from Swire), concluded that the KYC approach “would be unlikely to decrease [abuse of domestic infrastructure] by malicious foreign actors using domestic infrastructure. Further such requirements may result in additional unintended consequences, including increasing friction with key U.S. allies, whose cooperation is critical in addressing global cyber threats.”

The proposed Commerce rule also would target non-U.S. purchasers who use cloud services for training of large AI models. Cloud providers would be required to monitor use of cloud services and report to the government activity that meets this text: “could result in the training of a large AI model with potential capabilities that could be used in malicious cyber-enabled activity.” Consider the breadth of this language. The activity “could result” in training an AI model. The model could have “potential capabilities” that “could be used in malicious cyber-enabled activity.” In the current state of the art, where essentially every line of business is developing AI models, this language would seem to apply to a very wide range of normal business activity. Then, for each report, the cloud provider would need to supply the government with detailed information, including “estimated number of computational operations (e.g., integer operations or floating-point operations) used in the training run.” 

These factors create a disincentive for any foreign purchaser to use a U.S.-based cloud provider at a moment when U.S. cloud service providers already face intensifying competition from Chinese firms. Jim Lewis has emphasized that Chinese firms enjoy an advantage over U.S. cloud service providers in Africa, Latin America, and Southeast Asia due to factors such as foreign assistance. The new reporting requirements are likely to further erode the competitive advantage of going with U.S. firms in these regions. 

AI reporting requirements also would appear to require more intrusive monitoring by cloud providers of their customers’ activities. Such monitoring can go directly against cybersecurity best practices, which can limit the degree to which an outside entity, including a cloud service, has visibility into an organization’s computing activity.

Pulling together the order on bulk data sales, the WTO policy changes, and the proposed Commerce rule, these and other policy initiatives seem to indicate the Biden administration’s willingness to pursue national security goals in ways that would alter the cross-border patterns of the global trading system, including flows to both allies and adversaries. One early test for the administration will come this week, as the WTO Ministerial Conference decides whether to extend the e-commerce moratorium on customs duties on electronic transactions, which the U.S. has long championed. The overall U.S. policy shift could inadvertently undermine commerce as well as U.S. national security . 

New Harms to U.S. National Security 

Policy analysis of global data flows often frames the issue as a trade-off between economic gain and national security risks. According to this logic, data flows enable trade and commerce but create vulnerabilities that foreign governments can exploit for espionage, coercion, and to gain a competitive advantage in AI.

Concern about these vulnerabilities is legitimate but also presents a false binary. U.S. national security is bolstered when the services are based in the U.S. or allied countries, rather than in China. One notable example is for lawful access to data held within the U.S. or allied countries, subject to the sorts of rule-of-law protections set forth in the 2022 OECD principles on trusted government access. The U.S. and its allies cooperate for law enforcement through mutual legal assistance treaties and for national security through important information-sharing agreements. The most visible current example of possible effects is for Section 702 of the Foreign Intelligence Surveillance Act (FISA), the legal authority for U.S. government access to collection of information within the U.S. when targeted at non-U.S. persons who are outside of the United States. The administration is strongly supporting continuing the Section 702 authority in current reauthorization debates in Congress. Section 702 has numerous critics, especially in the wake of revelations about large-scale FBI violations of the program’s rules. Assuming Section 702 is reauthorized, however, U.S. national security access, under FISA’s legal safeguards, succeeds only where there is “possession, custody, or control” by an entity within the United States. American allies have similar jurisdictional requirements, such as EU member states under the EU’s new e-evidence regulation for access for law enforcement purposes. If the effect of the new order is to increase the role of China-based providers, then that would directly reduce access for purposes of protecting U.S. and allied national security. 

As we have discussed previously in Lawfare, U.S. technology competitiveness and private-sector access to global markets fuels innovation and strengthens the ability of U.S. and allied firms to compete with Chinese firms in markets around the world. Indeed, as articulated in the U.S. National Security Strategy, economic competitiveness and national security are increasingly intertwined in the digital age. The U.S. and its allies also gain soft power advantages from U.S. and allied participation in markets around the world, compared with having domination by Chinese-based technology firms. 

Proponents of localization in other countries can use the shift in U.S. policy to justify a new wave of protectionist localization measures. U.S. tech firms operating around the world will be the easiest target of those localization measures, with consequences for human rights and U.S. national security beyond commercial loss. As we have argued previously, localization weakens cooperation with allies by making it more difficult to effectively share data for law enforcement, intelligence, cybersecurity, health research, and other common purposes. Restrictions on data flows imposed on U.S. firms by countries beyond China undermine the competitiveness of U.S. digital industries, reducing leadership in AI and cybersecurity-related capabilities. Limits on exports of personal data, such as the telemetry used in cybersecurity, could reduce the ability of U.S. cybersecurity companies to service the global market. 

There are also national security implications for how the executive order will impact the physical flows of data around the world. U.S. policymakers have made clear that the intent is not to “break the internet” and as such have scoped new rules narrowly so as not to disrupt telecommunications or undersea cables infrastructure. The proposed rules also clarify this by adding an example to underscore what does and does not fall in scope. As the rules take shape, this area will be important to watch to ensure the rules remain targeted. There is already in place a comprehensive and, some note, overly burdensome regulatory process in the form of Federal Communications Commission licensing to protect national security and law enforcement concerns with undersea cables. Adding yet more ad hoc disincentives and impediments to building new and diverse undersea cable routes works against the country’s security. Overly broad scoping of risk could lead to a scenario in which U.S. cables linking to other countries would be increasingly challenging to build because it could be deemed high risk and subject to lengthy regulatory review. Incentive would shift away from working with U.S. companies building cables while Chinese cables proliferate around the world. 

Explaining Limited Convergence With Beijing

The Biden administration must carefully craft its messaging about the shift due to the risk that other countries may use the new order and other U.S. policy changes discussed above as an excuse for their own measures to limit data flows, including through data localization. It will not be credible or effective to insist that nothing has changed in the long-standing policy of open and free data flows. Instead, the administration should be clear that there is change, and more clearly delineate what that change does and does not mean. Such messaging should be used for allies and partners, countries deemed adversaries, and the U.S. public. 

For example, from the perspective of Europe and other U.S. allies, the WTO shift has created uncertainty about under what conditions the U.S. continues to support data flows and oppose localization. Chinese technology experts have noted that the U.S. appears to finally be embracing the concept of digital sovereignty in prioritizing domestic security considerations in governing data glows. An Indian think tank stated that the USTR’s decision “is poised to spark a worldwide reassessment of national e-commerce policies.” Propp has reported that “the EU is struggling to understand the motivations for Washington’s shift in digital trade policy.” 

The convergence not only appears in positions in the WTO, but there are also ways that the United States and China appear to be moving closer, with both countries supporting national security limits on data exports while seeking the economic advantages of such exports. At the same moment the U.S. is moving to restrict new categories of data flows based on security justifications, Beijing is seeking greater economic growth by relaxing its long-standing, restrictive stance on data flows out of China. Last September, the Cyberspace Administration of China (CAC) issued a draft regulation that, if implemented, would exempt many companies from a burdensome security assessment before sending data out of the country. The two systems may appear to be moving closer toward one another from opposite poles: with the U.S. giving a greater role to national security while China is doing the same for growth.

Despite this surface similarity in policy moves of Beijing and Washington, stark differences remain. The Biden administration should explain convincingly that the United States supports data free flow with trust in ways that differ fundamentally from the Chinese approach. The presumption for the United States is that data can lawfully flow to other nations, albeit with targeted limits on data broker sales and sector-specific rules that may affect cloud and other online services. By contrast, the presumption in China is a prohibition on data exports, even if permits for such exports become somewhat more lenient. The administration can acknowledge its changed approach, explaining that the specific regulations on data for national security purposes are similar to prior export controls of dual-use technology, and similar as well to U.S. regulation of domestic markets for purposes such as consumer protection. With that said, no U.S. official will be reviewing each data transfer in the mold of Chinese government requirements, even with the proposed CAC reforms. 

Finally, a more effective way to explain the rationale for the order would be to focus less on China and other countries of concern and more on how it may spark overdue changes to the data broker industry. From a privacy point of view, it is troubling that the U.S. data industry now sells detailed geolocation data on military personnel for a few cents per service member (or other American). With Congress unable to pass major privacy legislation, the order may jump-start better data mapping and protective measures by data brokers. As the Justice Department stated in its press release: “U.S. companies and individuals would be expected to develop and implement compliance programs based on their individualized risk profiles.” This sort of due diligence has long been expected in the U.S., especially since the ChoicePoint scandal back in 2004, for credit reporting agencies, which are required to screen purchasers of credit histories to ensure they are legitimate (banks, insurers) rather than illegitimate (identity thieves). Assuming the proposed rules are finalized, data brokers would need to create analogous due diligence programs. If so, then that could make it easier down the road to have functioning data privacy rules that can build on the initial due diligence programs.

Conclusion 

The U.S. government has opened a new chapter in how it regulates data flows with recent actions at the WTO, scrutiny of foreign purchasers of cloud services, and the executive order regulating bulk commercial data transfers To reassure allies and fend off excessive limits in other countries on cross-border activity, the Biden administration should clearly and convincingly explain the vast gulf between the U.S. system, with a presumption of openness to the global internet, and the Chinese system, with its presumption of blocking exports of data and imports of foreign ideas.

The new limits on data sales restrict global commerce but likely with little to no national security upside. The new set of administration actions may hurt U.S. strategic interests, from ceding ground to Chinese cloud service providers and cable to freezing out lawful U.S. and allied access, under FISA Section 702 and other authorities, to global data flows. Identifying these strategic ripple effects of the recent policy shift illustrates how there is a false binary between economic gain versus national security risk—U.S. economic success abroad often benefits national security.

U.S. policymakers are correct to be concerned about Beijing’s access to American data in an era of strategic competition. Although the order may spur the creation of due diligence programs for data brokers, the best way to address data risks is by enacting nationwide privacy protections, such as the American Data Privacy and Protection Act. The U.S. government should continue to pursue a range of cybersecurity improvements, to protect data and information technology systems, and to respond directly to ongoing Chinese attacks on critical infrastructure. Far less clear is whether new data regulations in the name of national security will succeed in blocking an advanced persistent threat of China’s nature.


Peter Swire is the J.Z. Liang Chair in the Georgia Tech School of Cybersecurity and Privacy, and Professor of Law and Ethics in the Georgia Tech Scheller College of Business. He is Senior Counsel to Alston & Bird LLP, and Research Director of the Cross-Border Data Forum. He served as one of five members of President Obama’s Review Group on Intelligence and Communications Technology.
Samm Sacks is a Senior Fellow at New America and Yale Law School’s Paul Tsai China Center. She is also a Senior Fellow for China Cross Border Data Forum. She has worked on Chinese tech and cyber policy for over a decade, both in the national security community and the private sector. She is writing a book (to be published by the University of Chicago Press) on U.S.-China relations through the lens of data, including the geopolitics of data privacy and cross-border data flows.

Subscribe to Lawfare