In the shadowy world of U.S. intelligence, a quiet revolution is underway. After former President Biden’s administration spent years putting in place protections to safeguard Americans’ personal data, recent policy shifts under the Trump administration may have just undone all of that work.
Data's Role in National Intelligence
Even if just from spy movies, you’ll be aware of some of the big players in the U.S. Intelligence Community: the CIA, NSA, and FBI are probably the most famous. But apart from what you may have seen in Mission: Impossible, The Bourne Legacy, or Silence of the Lambs, there are 15 other agencies, too, including the Defense Intelligence Agency. These agencies are tasked with gathering, analyzing, and disseminating information related to foreign threats, terrorism, espionage, cyberattacks, and other security concerns. Together, these entities support policymakers by providing critical insights into global developments affecting U.S. interests.
How do they do that? Through certain types of publicly available information. One of those is what’s known as Commercially Available Information (CAI)-data that can be purchased by the general public, including foreign governments and private entities. CAI offers significant intelligence value by enhancing what’s called open source intelligence (OSINT), which is the collection and analysis of information that is publicly available and legally accessible. This type of intelligence is derived from data sources such as newspapers, websites, social media platforms, public records, academic publications—basically, any media available to the public.
OSINT is used by intelligence agencies, law enforcement, businesses, and researchers to gather insights without engaging in covert or classified means of information gathering. It plays a crucial role in understanding trends, assessing threats, and supporting decision-making processes across various sectors. It enables these agencies to access valuable data, including social media information, reducing costs and risks associated with clandestine acquisition methods.
Concerns with CAI
For all its value, CAI also poses counter-intelligence risks as adversaries can access the same information.
The volume and sensitivity of CAI have expanded due to advancements in digital technology, such as location-tracking features in smartphones and ad-based revenue models. While CAI may be anonymized, it can often be deanonymized to identify individuals, including U.S. persons. Its increasing availability poses significant implications for privacy and civil liberties, necessitating careful consideration by the Intelligence Community (IC). Privacy concerns are prominent since CAI can reveal sensitive details about individuals, potentially leading to misuse that harms reputations or emotional well-being. The IC must navigate these complexities while responsibly leveraging CAI for intelligence purposes.
A couple of years ago, the Director of National Intelligence, Avril Haines, commissioned a report concerning the use of CAI, which was then declassified and published. In what was apparently a first of its kind, the federal government attempted to collect and share such information with the public, who are usually kept in the dark about such things. The Biden administration felt more needed to be done.
Biden Cracks Down on Data Sales
In February of 2024, President Biden signed Executive Order 14117, aiming to shield Americans' sensitive data from falling into the hands of "countries of concern." The EO mandates the Department of Justice to craft regulations that curb large-scale transfers of personal and government-related data to nations like China and Russia, which are deemed risky for U.S. national security. It also empowered the Attorney General to halt data sales. It focused on outbound data flows without imposing domestic storage mandates. As regulations take shape, stakeholders were invited to weigh in through public comments.
Experts, such as the Atlantic Council, reacted to the EO by calling further for comprehensive federal privacy legislation to bolster national security even more. While the executive order is a significant step, they argued, Congress must act to regulate data brokerage effectively. A couple of months later, the federal government did just that.
President Biden signed into law the "Protecting Americans’ Data from Foreign Adversaries Act of 2024" (PADFA). This legislation restricted “data brokers" from transferring personally identifiable sensitive data to nations like China and Russia, or entities under the control of these countries. The act defined “data brokers” as entities that sell or disclose U.S. individuals' data for valuable consideration without direct collection from those individuals. With an expansive definition of "sensitive data," PADFA covered identifiers, health records, financial details, biometric and genetic information, geolocation data, and more.
Agencies Roll Out Biden’s Policies
Under PADFA, the Federal Trade Commission (FTC) was tasked with enforcing these restrictions as part of its mandate to regulate unfair practices. The new law obligated American companies to scrutinize their data policies to ensure compliance with the provisions to safeguard against unauthorized foreign access to sensitive data. The FTC had already, in 2022, famously filed a lawsuit against the data analytics firm Kochava Inc. for allegedly collecting detailed personal information linked to precise locations. As of now, that case is still pending.
Then, last December, the Consumer Financial Protection Bureau (CFPB) unveiled proposed regulations to curb sales of personal information by data brokers. CFPB Director Rohit Chopra highlighted the alarming scale of the issue, noting instances where data brokers advertised personal details of senior national security officials. Under the proposed regulations, companies dealing in consumers' financial information would be treated similarly to credit bureaus, necessitating safeguards against misuse and ensuring data accuracy. The goal was to bring data brokers under CFPB oversight, aligning them with credit reporting laws to mitigate threats posed by unscrupulous entities (both domestic scammers and foreign adversaries).
But all of this action came when Biden was leaving the Oval Office. The proposal's future remained uncertain with Donald Trump poised to retake the presidency and touting plans for regulatory cuts. Since returning to office, Trump's new administration has aggressively targeted the CFPB, proposing drastic staff reductions amid legal challenges. And though many remained hopeful due to bipartisan support for consumer protections, the optimism that Trump would leave Biden’s policies in place has now proven to be misplaced.
Not So Fast, Says Second Trump Admin
In a decisive shift last week, the CFPB under President Trump just dismantled Biden’s plans for keeping data brokers in line. The move, announced via the Federal Register, also retracts plans to enhance consumer protections in digital payment technologies like cryptocurrency and restrict certain fine print terms in financial products. Why?
The CFPB’s new Acting Director, Russell Vought, stated that the proposal conflicted with current policy objectives and interpretations of the Fair Credit Reporting Act. It was also claimed that public feedback highlighted potential legal inconsistencies requiring further scrutiny before advancing any final rule. This included concerns about whether these limitations were compatible with federal law.
Consumer groups are worried. The group Consumer Reports said in a statement in the wake of Trump’s announcement that withdrawing Biden’s policies would leave consumers "vulnerable to scams and identity theft."
Related Resources:
- Court Blocks DOJ's Attempt to Defund ABA Domestic Violence Services (FindLaw's Federal Courts)
- Trump Extension Keeps TikTok in Deadlock (FindLaw's Federal Courts)
- Trump Offers $1,000 for Self-Deporters. How Will it Work? (FindLaw's Law and Daily Life)
