The United States Has a Data Broker Problem

Apple last month released its new App Tracking Transparency feature, which seeks to help users prevent apps from tracking, capturing, or selling their digital activity to third-party data brokers. Stopping the spigot of data flowing into the data broker pipeline is an important step toward securing America’s data infrastructure, whose vulnerability is a serious national security problem.

The data gathered by third-party brokers can include location history, religion, education level, income, and any number of other traits stemming from a person’s digital footprint. The brokers are so omnipresent that they can track U.S. troop movements or even the president with relative ease. While some brokers are well-known, publicly listed firms, many operate outside the limelight, with almost no federal oversight or regulation. Foreign governments can buy data from such brokers on thousands or even millions of Americans for less than the price of a new suit.

Breaches of the brokers’ own data pose a comparable risk. Already, massive breaches at brokers such as Equifax and Oracle have exposed billions of data points on American citizens. Hackers can use this data to target individual Americans for disinformation or intelligence-collection purposes.

This threat may seem hypothetical, but it is not. The Chinese Communist Party (CCP) has likely been compiling a massive database on American citizens for years, replete with health, travel, and financial data. Chinese contractors are not far behind in compiling data on millions of civilians from around the globe, which the Chinese government can, in turn, use to gather intelligence, especially on politically important individuals.

Even leading data brokers acknowledge the need to better regulate the industry. Currently, the federal government lacks a dedicated agency, bureau, or even a fully resourced division in charge of data protection. Without a dedicated staff in charge of the matter – most likely a data protection bureau within the Federal Trade Commission – any attempts to rein in data brokers will not succeed. Congress should also pass legislation giving Americans more notice of who owns what data, the timing of the data’s transfer to third parties, and how citizens can delete their data.

For the moment, however, given the continued lack of federal action, it will be up to firms, civil society organizations, and individuals to assert control over their data to ensure it will not be used against them. For example, the makers of smart phones and web browsers should consider a clear, consent-based “opt-in” privacy policy similar to Apple’s when it comes to sharing data with third parties. If firms fail to act, citizens need to take advantage of existing options – such as opting out of data brokers’ collection schemes and changing their social media and browsing habits – to reduce the mass of available data that malign actors could weaponize against them.

For too long, there has been a mismatch between the amount of data that U.S. citizens generate and the amount of effort the U.S. government and companies put into governing and securing that data. Congress and the Biden administration must act to prevent the transfer of data to U.S. adversaries.

Trevor Logan is a cyber research analyst at the Center on Cyber and Technology Innovation (CCTI) at the Foundation for Defense of Democracies (FDD), where he contributes to FDD’s China Program. Theo Lebryk is a CCTI intern and a master’s student in China studies at Peking University. For more analysis from Trevor, Theo, and CCTI, please subscribe HERE. Follow Trevor on Twitter @TrevorLoganFDD. Follow FDD on Twitter @FDD and @FDD_CCTI. FDD is a Washington, DC-based, nonpartisan research institute focusing on national security and foreign policy.