Guest Post: “Prioritizing Data Privacy in National Security Policy: The Current Loophole and the Need to Address It”
Today’s post is by my super-smart research assistant, Ms. Angelina “Gina” Bianchi. She addresses a topic we all need to be concerned about: data privacy. You may remember her from her contribution to the LENS Essay series “Regulating the Third Frontier: The Current Unrestricted Nature of Autonomous Weapons and the Need for Regulatory Safeguards.” Here’s her thinking on another vitally important issue:
Prioritizing Data Privacy in National Security Policy:
The Current Loophole and the Need to Address It
By Gina Bianchi
Both President Biden and President Trump have issued executive orders that highlight the national security concerns that arise from American’s data falling into the hands of foreign adversaries. Personal data can be used to predict an individual’s personality more accurately than their family can, or track an individual’s every movement. The power that data instills in those that possess it means that American’s data in the hands of adversaries poses a substantial threat to national security.
Though current regulation efforts have attempted to prevent this threat, the narrow focus on companies with ties to foreign adversaries has prevented the executive branch from addressing the broader concern. That is, (1) the availability of American’s data on the open market, and (2) the absence of regulations regarding the sale of such data.
President Trump’s Executive Order
On May 15, 2019, President Trump issued Executive Order 13873, the Information Communications Technology Executive Order, (ICTS Executive Order) which prohibited the “acquisition, importation, transfer, installation, dealing in, or use of any information and communications technology or service [when] the transaction involves information and communications technology or services designed, developed, manufactured, or supplied, by persons owned by, controlled by, or subject to the jurisdiction or direction of a foreign adversary”
The Executive Order was motivated by two findings. First, adversaries were exploiting information and communications technology and services to help facilitate malicious cyber-attacks. Second, the unrestricted use of information and communications technology or services “designed, developed, manufactured, or supplied by persons owned by, controlled by, or subject to the jurisdiction or direction of foreign adversaries” enabled foreign adversaries to “exploit vulnerabilities” within these services, creating a threat to national security.
On January 19, 2021, the Commerce Department published a rule implementing this Executive Order. This rule provided guidance on what countries constitute foreign adversaries for which the transactions would be prohibited. The list includes “The People’s Republic of China, including the Hong Kong Special Administrative Region (China); the Republic of Cuba (Cuba); the Islamic Republic of Iran (Iran); the Democratic People’s Republic of Korea (North Korea); the Russian Federation (Russia); and Venezuelan politician Nicolás Maduro (Maduro Regime).”
Further, the rule provides guidance on what constitutes a person being owned by, controlled by or subject to the jurisdiction or direction of a foreign adversary. According to the rule, its scope covers “any person, wherever located, who acts as an agent, representative, or employee, or any person who acts in any other capacity at the order, request, or under the direction or control, of a foreign adversary or of a person whose activities are directly or indirectly supervised, directed, controlled, financed, or subsidized in whole or in majority part by a foreign adversary”
Also included within the definition is “any person, wherever located, who is a citizen or resident of a nation-state controlled by a foreign adversary; any corporation, partnership, association, or other organization organized under the laws of a nation-state controlled by a foreign adversary; and any corporation, partnership, association, or other organization, wherever organized or doing business, that is owned or controlled by a foreign adversary.”
President Trump later issued three additional executive orders aimed at prohibiting specific applications from being purchased in the United States.
Executive Order 13942 of August 6, 2020. Addressing the Threat Posed by TikTok, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain.
Executive Order 13943 of August 6, 2020 Addressing the Threat Posed by WeChat, and Taking Additional Steps To Address the National Emergency With Respect to the Information and Communications Technology and Services Supply Chain.
Finally, Executive Order 13971 of January 5, 2021 Addressing the Threat Posed by Applications and Other Software Developed or Controlled by Chinese Companies.
President Biden’s Executive Order
These three additional orders posed blanket prohibitions on the downloading of applications that were deemed to be controlled by Chinese companies. President Biden’s Executive Order 14034 June 9, 2021, reversed President Trump’s Executive Orders 13942, 13943, and 13971, but maintained the stances taken in President Trumps initial ICTS Executive Order.
Biden’s Executive Order 14034 recognized that “[b]y operating on United States information and communications technology devices, including personal electronic devices such as smartphones, tablets, and computers, connected software applications can access and capture vast swaths of information from users, including United States persons’ personal information and proprietary business information. This data collection threatens to provide foreign adversaries with access to that information. Foreign adversary access to large repositories of United States persons’ data also presents a significant risk.”
As opposed to a blanket ban on transactions with specific companies, President Biden’s approach adopts a facts and circumstances analysis. The Order prescribes that “The Secretary of Commerce shall evaluate on a continuing basis transaction [and] [b]ased on the evaluation, the Secretary of Commerce shall take appropriate action in accordance with Executive Order 13873 and its implementing regulations.”
The Executive Order also requires the Secretary of Commerce to provide a report with recommendations on additional executive and legislative action to address the risk “associated with connected software applications that are designed, developed, manufactured, or supplied by persons owned controlled by, or subject to the jurisdiction or direction of, a foreign adversary.”
The Need for Further Action
Thus far, the attempts at mitigating the risk associated with data becoming available to foreign adversaries has been insufficient. Though the investigation in President Biden’s Executive Order is aimed at helping to develop appropriate measures to combat the security threat, the limited scope leaves a gaping loophole no matter what further regulations are made. This is because the prohibition is limited to companies that are controlled by a foreign adversary and imposes no restrictions on companies not controlled by such adversary.
Even if the regulations are read broadly to include companies who contract with foreign adversaries as being under their control, there is still a loophole whereby foreign adversaries can purchase information. This loophole is purchasing information from a third-party data broker.
Data brokers work by aggregating the data collected on an individual from various sources, from purchasing, licensing and sharing agreements with other third parties. They then aggregate the data that they obtain to create comprehensive user profiles on individuals.
These companies, many of which are not under the control or connected to foreign adversaries, currently face no restrictions on who they can and cannot sell information to. Thus, if a country is prohibited from obtaining information from software that they have present in the United States, there is currently nothing that would stop them from purchasing data from a third party who is able to collect that information.
The regulations ought to be taking a broader look at bolstering data privacy as failing to do so poses a threat to national security. So long as American’s data is available on the open market, there will always be a work around whereby foreign adversaries may obtain the data that we aim to protect. Unless, and until, broad data privacy regulations are adopted that impose restrictions on not only the gathering of data but also restrict the sale of user data to companies, we will always face this challenge.
Though limiting foreign country’s ability to collect data on American’s may be a step in the right direction, it is certainly not the final solution to the broad problem at hand. Taking consumers’ right to data privacy seriously and adopting regulations such as the GDPR may be the next step forward. Though this is not the only possible solution, the fact is clear, regulating companies connected with foreign adversaries is insufficient to combat the national security concerns that are raised by vast amounts of Americans data available for sale on the open market.
About the author:
Gina Bianchi (J.D. 2022) is a third-year at Duke University School of Law. She grew up in Rochester, New York, and graduated from Lafayette College with a B.A. in Philosophy in 2018. Before law school, she earned her MLitt in Moral, Political and Legal Philosophy from the University of St. Andrews. During her 2L summer, Gina interned for Latham & Watkins in Houston and Washington DC. She is an Executive Editor for Duke’s Law and Contemporary Problems journal and a research assistant for Maj. Gen. (Ret.) Charlie Dunlap.
Remember what we like to say on Lawfire®: gather the facts, examine the law, evaluate the arguments – and then decide for yourself!