Spy agencies must safeguard data that can easily identify Americans, the Office of the Director of National Intelligence said, issuing guidance for the ethical use of commercial data that analysts use in their day-to-day work.
U.S. intelligence operatives and cyber warfare units often obtain data to help them in their missions—from telemetry to computer logs to weather records. But purchases of data from platforms or apps, where consumers legally but sometimes unknowingly give away their location information and other personal details by clicking “yes” on user agreements, have become a privacy-ethics flashpoint.
ODNI’s guidance highlights “sensitive commercially available information” that contains a “substantial volume” of personally identifying information or specific identifiers that can easily trace back to a U.S. person and their religious affiliations, gender identity, or other affiliations.
“IC elements must have in place policies and procedures to ensure they appropriately safeguard any Sensitive CAI,” the framework’s fact sheet says. “Such policies and procedures must take into account not only factors such as the volume, proportion, nature, and intended use of information but also include enhanced safeguards such as restricted access, additional internal controls, and approval requirements.”
Sensitive information uses must be periodically reviewed and ODNI will need documentation from IC groups that describes the types of sensitive information acquired, the blueprint says.
The release was crafted by a senior advisory panel, and their recommendations were accepted by every IC element, the ODNI said.
“Put simply, the combination of an increasing amount of readily available data regarding the activities of individuals — often perceived as not especially sensitive on its own — and increasingly sophisticated analytic tools can in the aggregate raise significant privacy and civil liberty concerns,” an office statement said.
A report released last year said that the IC frequently buys troves of Americans’ data with few checks and balances, and that use of such information without oversight presents a privacy threat. Some of those purchases have included social media data, it said at the time.