This article first appeared at Just Security.
ODNI Releases New Framework for Handling Commercially Available Information
On May 8, the Office of the Director of National Intelligence (ODNI) unveiled a framework establishing standardized guidelines for the Intelligence Community (IC) on categorizing, acquiring, and managing commercially available information (CAI). This data, obtainable from various commercial sources like cell phones, cars, household devices, and social media, is often procured from data brokers. The newly released policy framework outlines principles for acquiring and safeguarding CAI, with special attention to sensitive information. It also mandates cataloging the IC agencies’ purchases and use of CAI.
This framework emerges amid increased awareness within the IC that the acquisition and use of CAI carry significant risks to Americans’ privacy and civil liberties. Effective implementation could harmonize agencies’ practices, enhance privacy protections incrementally, and substantially increase transparency. However, the framework grants IC agencies considerable discretion in applying its principles, which might limit its practical effectiveness. Additionally, it does not restrict IC agencies from purchasing data that would typically require a warrant, court order, or subpoena, highlighting the need for legislative action.
The Problem
In June 2023, a declassified government report confirmed that intelligence agencies have been purchasing vast amounts of Americans’ personal data from commercial entities. The report indicated that this practice has surged due to advancements in digital devices and the advertising-driven surveillance industry. It warned that CAI could expose highly sensitive information, thereby heightening the government’s ability to intrude into private lives and posing risks to privacy and civil liberties. Despite these risks, intelligence agencies frequently acquire CAI without adequate policies to identify and protect sensitive data, often failing to track their acquisition and use of CAI.
Many such data are theoretically protected by statutory and constitutional privacy regulations. For instance, in 2018, the Supreme Court ruled in Carpenter v. United States that the government needs a warrant to obtain cell phone location records. However, agencies circumvent this requirement by purchasing geolocation data from commercial vendors, thus undermining the spirit of the ruling.
The Framework’s General Principles for All CAI
The ODNI framework sets baseline standards for IC agencies on acquiring and using CAI, allowing flexibility to meet operational needs. It outlines nine general principles emphasizing privacy and civil liberties as integral considerations. Agencies must avoid using CAI to disadvantage individuals based on race, gender, or religion, and must not take adverse actions against individuals for exercising Constitutionally-protected rights. The framework also mandates assessing data quality, managing safeguards, and providing transparency to the public and oversight entities.
While these principles are commendable, some merely restate basic constitutional requirements, raising questions about their additional value. The discretionary nature of these principles might allow agencies to prioritize operational flexibility over privacy.
Additional Requirements for Sensitive CAI
The framework specifies how intelligence agencies should manage sensitive CAI, first by defining what constitutes sensitive information. It then sets baseline standards for acquiring and safeguarding such data and details documentation requirements.
What Is Sensitive CAI?
The framework defines sensitive CAI based on volume, proportionality, and sensitivity. Information is deemed sensitive if it involves a substantial volume of personally identifiable information (PII) about U.S. persons or a greater than minimal amount of sensitive data or activities. Sensitive data includes PII related to race, political opinions, religious beliefs, health information, sexual orientation, financial data, or other data that could cause substantial harm if disclosed. It also includes data revealing patterns of life or personal preferences over time.
However, the framework lacks clarity on certain sensitive information categories like biometric data, location information, and internet search history. Agencies have the discretion to determine the sensitivity of such information, which might lead to inconsistent safeguards.
Minimum Standards for Acquiring and Safeguarding Sensitive CAI
The framework outlines procedures for ensuring that sensitive CAI is collected and used responsibly. Agencies must assess various factors before acquiring sensitive CAI, including privacy and civil liberties risks and data quality. They must implement measures to safeguard sensitive CAI, though these measures are illustrative rather than mandatory.
Agencies can bypass oversight officials based on operational security considerations, potentially sidelining critical oversight. The framework’s discretionary nature could make it a mere formality, allowing agencies to continue purchasing data without stringent safeguards.
Documentation and Reporting
Despite its flaws, the framework includes promising documentation and reporting requirements, aiming to enhance transparency and accountability. IC agencies must document their acquisition and use of sensitive CAI, including the purpose, source, and volume of information, applicable safeguards, and the procurement process. Agencies must report this documentation to the ODNI annually, and the ODNI must keep Congress informed and issue a public report every two years.
What’s Missing—and What’s Next
While the framework includes some privacy protections, it does not prohibit purchasing information that requires a warrant or subpoena. Thus, it cannot replace legislation needed to restore legal protections. Congress and the courts have already determined that certain information should not be accessible without compulsory legal process. The ODNI policy recognizes the need for rules governing CAI acquisition but creates its own subjective standards rather than adhering to existing legal requirements.
Legislation like the Fourth Amendment Is Not For Sale Act or the Government Surveillance Reform Act would provide more robust protections by prohibiting certain purchases of sensitive data and imposing rigorous minimization requirements.
The ODNI framework acknowledges the need for different rules for government acquisition of CAI but errs in creating its own. Stronger legislative measures are necessary to protect civil liberties effectively.
