By Caitlin Chin

Ten years ago, when whistleblower Edward Snowden revealed that U.S. government agencies had intercepted bulk telephone and internet communications from numerous individuals around the world, President Barack Obama acknowledged a long-standing yet unsettled dilemma: “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience. There are trade-offs involved.” Snowden’s disclosures reignited robust debates over the appropriate balance between an individual’s right to privacy and the state’s interest in protecting economic and national security—in particular, where to place limitations on the U.S. government’s ability to compel access to signals intelligence held by private companies. These debates continue today, but the internet landscape—and subsequently, the relationship between the U.S. government and private sector—has evolved substantially since 2013. U.S. government agencies still routinely mandate private companies like Verizon and Google hand over customers’ personal information and issue non-disclosure orders to prevent these companies from informing individuals about such access. But the volume and technical complexity of the data ecosystem have exploded over the past decade, spurred by the rising ubiquity of algorithmic profiling in the U.S. private sector. As a result, U.S. government agencies have increasingly turned to “voluntary” mechanisms to access data from private companies, such as purchasing smartphone geolocation history from third-party data brokers and deriving insights from publicly available social media posts, without the formal use of a warrant, subpoena, or court order. In June 2023, the Office of the Director of National Intelligence (ODNI) declassified a report from January 2022—one of the first public efforts to examine the “large amount” of commercially available information that federal national security agencies purchase. In this report, ODNI recognizes that sensitive personal information both “clearly provides intelligence value” but also increases the risk of harmful outcomes like blackmail or harassment. Despite the potential for abuse, the declassified report reveals that some intelligence community elements have not established proper privacy and civil liberties guardrails for commercially acquired information and that even ODNI lacks awareness of the full scope of data brokerage contracts across its 18 units. Critically, the report recognizes that modern advancements in data collection have outpaced existing legal safeguards: “Today’s CAI [commercially available information] is more revealing, available on more people (in bulk), less possible to avoid, and less well understood than traditional PAI [publicly available information].” The ODNI report demonstrates how the traditional view of the privacy-security trade-off is becoming increasingly nuanced, especially as gaps in outdated federal law around data collection and transfers expand the number of actors and risk vectors involved. National Security Adviser Jake Sullivan recently noted that there are also geopolitical implications to consider: “Our strategic competitors see big data as a strategic asset.” When Congress banned the popular mobile app TikTok on government devices in the 2023 National Defense Authorization Act (NDAA), it cited fears that the Chinese Communist Party (CCP) could use the video-hosting app to spy on Americans. However, the NDAA did not address how numerous other smartphone apps, beyond TikTok, share personal information with data brokers—which, in turn, could transfer it to adversarial entities. In 2013, over 250,000 website privacy policies acknowledged sharing data with other companies; since then, this number inevitably has increased. In a digitized society, unchecked data collection has become a vulnerability for U.S. national security—not merely, as some once viewed, a strength. The reinvigorated focus on TikTok’s data collection practices creates a certain paradox. While politicians have expressed concerns about Chinese government surveillance through mobile apps, U.S. government agencies have purchased access to smartphone geolocation data and social media images related to millions of Americans from data brokers without a warrant. The U.S. government has simultaneously treated TikTok as a national security risk and a handy source of information, reportedly issuing the app over 1,500 legal requests for data in 2021 alone. It is also important to note that national security is not the only value that can come into tension with information privacy, as unfettered data collection carries broader implications for civil rights, algorithmic fairness, free expression, and international commerce, affecting individuals both within and outside the United States.

Washington, DC: The Center for Strategic and International Studies (CSIS) 2023. 60p.