The New Executive Order on Personal Data
The new Biden administration executive order (EO) to protect Americans’ sensitive personal data is a valuable symbolic act and highlights the long-standing congressional failure to pass national privacy legislation. As the world becomes more data-intensive, the lack of national privacy legislation is a growing foreign policy problem for the United States. The EO attempts to address this, and is also a recognition that the United States has moved into a very intense espionage conflict with Russia and China, where data analytics can play a major role in gaining an intelligence advantage in a globally interconnected digital environment.
The EO sends a clear message, even a stern message, that the United States would prefer that hostile foreign powers do not acquire data on masses of Americans. As the 2024 election approaches, Americans do not want to wake up and find out that there is a Chinese equivalent to the Cambridge Analytica episode, where a British data broker acquired in bulk the personal information of Americans for use in the 2016 election. But the EO’s practical effect is negligible because it is easily circumvented.
Why China would want masses of personal data is not something it has publicly discussed, and it is not clear why it collects it. The initial focus for China’s data collection was its own citizens, and many of those people reside in China, making it an internal security function and a standard application of a Leninist tool. Amassing data for domestic intelligence purposes in China use goes back at least to the 1949 revolution, but within the past decade, it has moved beyond a domestic focus. Chinese intelligence officers hacked the U.S. Office of Personnel Management (OPM) and the records of airlines, hotels, health insurance companies, and others to acquire immense databases containing the personal information of millions of Americans. The 2015 OPM hack was part of a larger effort by China to populate a data-centric approach to intelligence and use Chinese data analytics programs for spying. OPM was signal failure by the United States, as China obtained the SF-86 (“Questionnaire for National Security Position”) for a reported 19.7 million applicants for a U.S. government security clearance. Every person who has a security clearance must complete the SF-86, which requires sensitive personal information and SF-86 data is much more valuable for counterespionage than what can be obtained from data brokers.
Policymakers can only speculate on China’s motives for commercial bulk data purchases, but it is probably a blend of paranoia and a desire for control by China’s leaders. China has made massive efforts in data analytics and biometrics (facial recognition, fingerprinting, genetics, and DNA) to create comprehensive surveillance programs, and in the last few years appear to have extended these efforts beyond its own population. To be fair, major intelligence agencies worldwide maintain extensive biographic databases on prominent figures, both foreign and domestic. Concerns over terrorism led to an expansion of these collections in many countries, and a major (if not entirely rational) concern for some in the European Union is that U.S. National Security Agency (NSA) was engaged in mass surveillance of Europeans. Unlikely China’s surveillance, however, U.S. programs were carried out in the interests of shared counterterrorism interests, usually in collaboration with European governments. China has no such shared rationale and its programs are not cooperative.
The EO includes the issue of the security of data carried on undersea cables, presumably because tapping these cables would allow bulk collection of data. For all practical purposes, undersea cables are indefensible. While cables in the deepest parts of the ocean may be inaccessible, all cables must come ashore, and as the water becomes shallower, cables are easy to disrupt and hard to defend. A fishing trawler can do this. Tapping an undersea cable to collect the traffic passing over it is technically challenging, but if the collector owns and operates the cable (or can compel the owner to cooperate, as is the case under Article 7 of China’s intelligence law) the task become simple. By permitting ownership by a hostile entity would be a mistake. The inclusion of undersea cables may indicate some of the concern that led to the issuance of the EO. This concern is not new—it first appeared in 2000, in a review by the committee on Foreign Investment in the United States (CFIUS) of a proposed purchase by a Hong Kong entity of Global Crossing, an undersea cable company. While Global Crossing was informally blocked by CFIUS more than 20 years ago, CFIUS apparently felt the need to reinforce its authorities to block undersea cable sales.
One worry is that the collection and analysis of bulk personal data might improve an ability to interfere with domestic elections. Another is that access to personal data would lead China to improve their recruitment of Americans as spies. Both concerns seem to have been exaggerated. While in the intervening decade, a number of individuals have been arrested and indicted on charges of spying for China, access to bulk personal information from hacks like OPM do not appear to have played a role in this—at least for those cases where the individual was recruited by the Chinese.
The easiest ways to circumvent this EO’s restriction are for a hostile entity to use third-party acquirers like data brokers. Data brokers are in the business of selling data in bulk for commercial purposes including, in some instances, for electioneering. The tactics for EO circumvention would probably resemble money laundering and the first-party acquirer of the data may not even know the ultimate recipient or intended use, making “know-your-customer” requirements less useful. A data broker sells to a company in another country who then sells to another company in a third country who then sells to a commercial firm in China. It may also be possible to use technologies like portable storage devices to move data from the United States to another country. Hostile entities can bypass the controls in the EO with a little ingenuity and money.
The risk of this has yet to be determined. Traditionalists will be pleased to learn, judging from intelligence-related indictments, that the most successful tools of agent recruitment remain the same they have always been, relying principally on money and sex (or sex and money). Both China and the United States have even put out videos warning their citizens about this kind of recruitment. However, concerns that China or others would use illicitly acquired personal data to identify financially or emotionally vulnerable individuals for requirements do not seem to have replaced money and sex. Other techniques, such as those that rely on deepfakes (there are no public examples of this, but deepfakes are used in crime and politics and will eventually work in spying) could benefit from subjecting masses of data to some artificial intelligence analytical tools.
The most important trait for recruitment, discontent, is not provided by bulk commercial data. In many cases, there is a degree of disaffection and discontent that makes an individual susceptible to recruitment. Discontent is more of a problem for China. While there are many disaffected Americans, disaffection does not translate into fondness for the Chinese Communist Party. If there is information or data to the contrary, at least for indictments, the administration should release it. This is not a criticism of the EO, but an effort to temper expectations. It would still be nice to have a national privacy law, but that remains pending and the EO is a useful substitute.
James A. Lewis is a senior vice president and director of the Strategic Technologies Program at the Center for Strategic and International Studies in Washington, D.C.