Can private market data help balance national security and privacy?
International relations theorists have long argued that we live in a state of international anarchy. Because there’s no overarching world state imposing fines for unsatisfactory laws or policing countries that don’t live up to human rights standards, we are constantly figuring out international power structures and balances.
To a certain extent, we live in a similar ecosystem when it comes to data. We inhabit a world in which responsible online behavior is difficult to pin down. And although we’ve come a long way in a short amount of time, companies don’t always know what they are allowed to do with their users’ information, and users don’t always know how to best secure their information online. For this reason, we should be cautious about allowing government entities, like the intelligence community, to use private market data (PMD), which is “data that is generated by consumers, companies, and other entities and that is collected, collated, analyzed, and sold by technology companies and data brokerage services.”
In a recent newsletter, Klon Kitchen’s “The Good Guys Want Your Data, Too“—based on the prior piece “The Business of Knowing: Private Market Data and Contemporary Intelligence”–outlines how the benefits of this data can help advance national security. Indeed, agencies in the intelligence community are already using PMD. Kitchen notes: “Specifically, PMD offers an appealing opportunity for the intelligence community to develop at-scale intelligence because it’s unclassified, ‘rich,’ and recent.” However, this approach ignores longer-term implications of incorporating PMD into intelligence collection patterns by focusing too much on its benefits and ignoring the fluidity of data collection practices and regulation.
Yes, PMD is detailed. It’s also organized, accurate and—most importantly—up to date. But just because it’s there for the taking does not mean it is the best move for the intelligence community in the long run. It’s like signing a long-term lease without a consistent plan of future payment. Things can change quickly, and there’s less flexibility to adapt. Take the U.S. state privacy law environment, for example, whose developments require constant monitoring.
Perhaps the solution is to minimize the intelligence community’s use of PMD until we have clearer privacy and security frameworks like a federal privacy law, for example, to regulate the use of PMD. But stepping on the brakes would be less about formal timelines and more about acknowledging that incorporating PMD into intelligence collection is a serious decision. One that will impact the intelligence community’s processes, budgets, priority setting and more for years to come. And the more we continue to use PMD, the more difficult it will be to untangle ourselves if we do, in fact, pass a federal data privacy and security law that alters how PMD can be used. At the same time, it’s unrealistic to place a due date on established behavioral norms over data security and privacy—even if laws pass. But taking a step back and carefully considering the appropriate use of PMD is crucial to a sustainable information collection system.
There’s also another sensitive aspect to consider: the tenuous dance taking place between the European Union and the United States in light of the Schrems II ruling and the teaser political agreement recently reached to replace the invalidated Privacy Shield agreement. With a “will-they won’t they” dynamic, the European Union and United States have gone back and forth over an acceptable data transfer mechanism for years, hitting a wall when it comes to U.S. intelligence laws and the surveillance of European users online—Facebook was the most recent example in court. Embracing the use PMD for foreign individuals—especially with a new agreement on the horizon—could shake up months of trade negotiations. Being cautious here, however, is less about pandering to our allies and more about the amount of business—approximately $1 trillion per year—on the line.
The PMD approach might even find an unlikely roadblock at home. The Department of Homeland Security recently announced its intent to embrace privacy-enhancing technologies in an effort to implement privacy controls proactively into their operations. So the agencies in question might not even be willing to tangle themselves into a “wild west” of data if they’re looking to use less of people’s information—as is the goal of many privacy-enhancing tools.
This isn’t all to say that PMD should be eliminated as an option—which would be difficult to do, anyway, because agencies already buy it. Kitchen’s breakdown of the benefits of PMD can help us understand how data collected from consumers can fit into intelligence collection, and, more importantly, national security imperatives. Kitchen’s longer-form piece also suggests guardrails worth considering: like developing an annual report for Congress and routing the oversight of data acquisition through Senate and House committees on cybersecurity to ensure data security.
Additionally, a formal framework delineating how intelligence agencies can use this data would be a welcome contribution. Not only would this establish parameters around the practice, but it would also foster transparency for civilians. Indeed, “secrecy magnifies the problem.” It would be ideal if there were a way to use information that is collected from users with some degree of transparency and accountability that could even allay broader concerns over privacy—as the relationship between intelligence agencies and privacy advocates hasn’t always been the greatest. Lawmakers like Sen. Ron Wyden (D-Ore.) have focused plenty on this issue already.
PMD could be beneficial for the intelligence community. At the same time, there’s still much to be fleshed out when it comes to data governance, so it’s better to be conservative with the use of consumer datasets at the agency level.