Restricting direct data broker sales to China is a start—but privacy and security controls on personal data must go much broader.
-(1)-(1).png?sfvrsn=1bc11cd_4 "Data Brokerage and the Third-Country National Security Problem")
In November 2024, Wired reported that a U.S. data broker had location data that a data holder could use to follow U.S. military forces as they walked around in Europe and even traveled to the off-base brothel SexWorld—raising serious national security concerns. It’s now clear that the data didn’t originate from an American company. Instead, a Feb. 12 investigation from 404Media and Wired revealed, the location data encompassing service members came from a Lithuanian company that sold it to a U.S. data broker. The free, sample dataset alone (so, just a subset of its overall offerings), covering one month in Germany, had 3.6 billion location points from up to 11 million different devices.
Amid a growing number of stories about how the data brokerage industry and other poor U.S. privacy practices put national security at risk, this recent news speaks to a persistent gap in laws, regulations, and policies to address the issue. Even as the executive branch puts forward its bulk data transfer and national security program (which took effect on April 8), and as Congress gave the Federal Trade Commission (FTC) the power to examine limited aspects of some third-party sales of some personal data with impacts on national security, ongoing efforts focus (mostly) on direct sales of data to a select few countries, such as China, Russia, and Iran. These are obvious places for privacy and security intervention, making the efforts important.
But this latest story underscores all the possible directions in which brokered data can flow—a U.S. broker buying data on U.S. persons from a European advertising technology vendor; hypothetically, a Singaporean firm sourcing location data that it sells from apps in Latin America, encompassing travelers from many countries; or any other myriad possibilities involving different buyers and sellers in different countries, in variable numbers of transactions, with different types of data related to different people. Therefore, the government’s focus on direct sales to a few countries creates the opportunity for ill-intentioned foreign actors to buy Americans’ data indirectly through a series of transactions, which circumvents programs designed to look (again, importantly) just at direct sales and transfers involving a few previously identified adversaries. It’s a significant gap. To address this issue, Congress should implement restrictions on the sale of many kinds of data, on all Americans, to any buyer, to clamp down on the unwieldy data supply chain enabling this significant risk to national security.
In November, Wired, Bayerischer Rundfunk, and Netzpolitik.org obtained geolocation data gathered and sold by Datastream Group, a Florida-based data broker. They uncovered location signals from up to 189 devices inside a high-security German military installation, where “as many as 15 U.S. nuclear weapons are reportedly stored in underground bunkers”; up to 1,257 devices at a training area with thousands of American troops and a place for training Ukrainian soldiers; and nearly 2,000 devices at the United States’s Ramstein Air Force Base (which is also in Germany). The signals showed devices going from Ramstein Air Force Base to Ramstein Elementary and High School—which the children of military personnel attend—and, as described above, even four devices of soldiers visiting off-base brothels.
Location data shows people’s unique movements and cannot be seriously “anonymized” at the device level with any degree of utility (that is, what data holders want). Someone with this data could therefore use it to clearly identify specific people, which could be valuable information to a foreign adversary. For example, it would be relatively easy for an adversary with access to location data from mobile phones to determine exactly who is working at a U.S. military installation overseas, despite the fact that they rarely leave the base or put their name online. This kind of data also enables the inference of additional, sensitive information based on people’s movements; in this instance, the location data collection and sale encompassed people’s children and revealed activity, such as service members’ visits to off-base brothels, that could provide blackmail material or at least helpful intelligence to a foreign adversary. And of course, collecting and selling such data tramples all over people’s privacy, too.
Now, in a letter to Sen. Ron Wyden (D-Ore.), Datastream Group said it obtained the data in question from Lithuanian advertising technology company Eskimi. In response, Eskimi’s CEO said that “Eskimi does not have or have ever had any commercial relationship with Datasys/Datastream Group.” An attorney for Datastream, talking to 404 Media and Wired, then contradicted some of the statements the company had already made to Wyden’s office—such as claiming that the data was never intended for resale, versus its earlier statement in the letter that the data was meant for use in digital advertising (and therefore would ostensibly be shared onward with many third parties, as part of online bidding for digital ads).
Contradictions aside, this example puts front and center the risk stemming from the gap in U.S. data protections. The very nature of the data brokerage and digital advertising ecosystems—complex, fairly opaque, crossing borders, and involving many parties handling many types of data—makes it feasible for a threat actor in a foreign country to simply purchase data from a U.S. data broker through a series of intermediaries, through its own U.S. front company, or from an unscrupulous or negligent, non-U.S.-based reseller. Purchasing data in any one of these ways would obscure the ultimate recipient of the data from U.S. regulators and policymakers investigating categories or cases of sales and transfers from U.S. companies directly to entities in countries such as China or Iran. (All that is without even getting into the fact that non-U.S. data brokers or advertising technology companies can—and clearly, in some cases, do—gather and sell highly sensitive data on U.S. persons that implicates national security.)
The Justice Department’s bulk data transfer and national security review program, designed to curtail data brokerage for national security reasons, specifies six “countries of concern” at which restrictions are targeted as China, Russia, Iran, North Korea, Cuba, and Venezuela. It does not include a variety of countries operating at the behest of those six governments—such as Belarus, a de facto Russian client state—and certainly does not include any of the other countries in which one of those six countries could set up front companies or go through intermediaries—from South Korea to South Africa to Egypt to, as touched upon in the recent story, Lithuania or Germany. To be clear, this does not mean the Justice Department will only look at an American firm selling data directly to a Chinese military university—or that there are zero safeguards vis-a-vis onward transfers and circumventions of direct sales. Section 202.302 of the Justice Department’s final rule requires covered companies selling or transferring covered data to entities outside those six countries to specify, in contracts, that the buyer (and the buyer’s buyers, if applicable) will not subsequently transfer or resell the data onward to a country of concern. It’s a good requirement in that it will help to ensure that U.S. companies, on their end, are putting this kind of language into contracts and that any U.S. company selling data with knowledge that the recipient will simply pass it on to, say, Iran can be held accountable. It may also help should, for example, a European company buy U.S. persons’ data in bulk from a U.S. company and therefore know it should not sell the data onward in contravention of the U.S. rule. But this contractual language does not deal with many of the above scenarios.
It is another reason that Congress should have been more comprehensive when it rushed through the Protecting Americans’ Data from Foreign Adversaries Act (PADFAA) in 2024, a law motivated by important bipartisan attention to the issue but that was suboptimal in several ways: It gave a data and national security authority to the Federal Trade Commission (neither a national security agency nor a place with many clearances); defined data brokers only as third-party data collectors, excluding from national security measures the many first-party companies that sell their own users’ and customers’ data as well as data they collect on people directly through pixels and website trackers; failed to give the executive branch much more authority than it already had on this subject (which is little to begin with); and—relevant for these purposes—did not address the third-country problem. Its “foreign adversary country” list was pulled from 10 U.S.C. § 4872 to include China, Russia, Iran, and North Korea. Similar to the Justice Department program, the law focused its prohibitions on entities where the entity or at least 20 percent of its owners are domiciled, headquartered, principally operating, or legally organized in a foreign country on the list; or “subject to the direction or control of a foreign person or entity” domiciled, headquartered, principally operating, or legally organized in a foreign country on the list.
As I describe in my forthcoming book “Navigating Technology and National Security,” years and years of lessons from export controls alone should underscore that foreign governments looking to illicitly obtain access to goods, services, and information from other countries will use deception, obfuscation, front companies, redirection points, recruited operatives, and other tactics to make it happen. This does not mean efforts to make that acquisition more difficult for the foreign government are futile—quite the contrary, in fact—but that effective gap-plugging must go further than rules on paper, especially when dealing with intangible, voluminous digital things such as datasets. Foreign threat actors’ persistence also means that policymakers should continue to explore a spectrum of comprehensive policy options, ensuring that societally beneficial activities, such as internal business uses of data with people’s actual consent, are appropriately safeguarded alongside clampdowns, in a systemic rather than piecemeal fashion, on the kinds of security-risky data sales touched upon in the recent 404Media and Wired stories.
In the data brokerage case, existing efforts do not adequately protect against a foreign government—such as the Chinese government—purchasing the data through a partner firm in Germany that itself purchases the data from a U.S. data broker, because existing efforts are too dependent on contractual controls in select cases rather than baseline, comprehensive privacy and security requirements for all U.S. companies. They do not adequately protect against a foreign government setting up a front company within the United States itself to purchase data from a U.S. data broker, burying its hypothetical intelligence operation within a landscape of inadequate privacy laws and an opaque, leaky data supply chain. And, among others, they do not sufficiently mitigate the risk of a foreign government or ill-intentioned actor extracting data from apps, digital advertising networks, and other sources and systems without the owner’s knowledge—because the risky, underlying data practices powering them have not changed.
Until Congress, states, and the executive branch work to limit data collection at the source through comprehensive privacy legislation—and impose additional restrictions on data brokerage writ large, to include a national security risk component—countless opportunities for bad actors to circumvent requirements and buy, siphon, or steal U.S. persons’ data will persist.
– Justin Sherman is a contributing editor at Lawfare. He is also the founder and CEO of Global Cyber Strategies, a Washington, DC-based research and advisory firm; the scholar in residence at the Electronic Privacy Information Center; and a nonresident senior fellow at the Atlantic Council. Published courtesy of Lawfare.
