The Biden administration’s new executive order (EO) to protect Americans’ sensitive personal data is a valuable symbolic act, highlighting Congress’ longstanding failure to pass national privacy legislation. As the world becomes more data-intensive, the lack of domestic privacy laws has become an issue for U.S. foreign policy. The EO seeks to address this, but it also means that the United States is moving into highly intense espionage conflicts with Russia and China, gaining information superiority in a globally interconnected digital environment. It is also a recognition that data analysis may play a key role in achieving this goal.
The EO sends a clear message, even a harsh one, that the United States does not want hostile foreign powers to obtain the data of large numbers of Americans. As the 2024 election approaches, Americans are waking up to find out that the Chinese equivalent of the Cambridge Analytica episode, in which British data brokers acquired large amounts of Americans’ personal information for use in the 2016 election, has woken up. I don’t want to know something. However, EO can be easily avoided, so its actual effect can be ignored.
There is no public discussion about why China needs so much personal data, and it is not clear why it collects it. Since the initial focus of China’s data collection was on its own citizens, many of whom reside in China, it is an internal security function and a standard application of Leninist tools. Data collection for domestic intelligence purposes in China dates back to at least the 1949 revolution, but over the past decade it has moved beyond a domestic focus. Chinese agents hacked into the records of the U.S. Office of Personnel Management (OPM), airlines, hotels, health insurance companies, and other organizations, obtaining a vast database containing the personal information of millions of Americans. The 2015 OPM hack was part of a larger effort by China to adopt a data-centric approach to intelligence and use Chinese data analysis programs for espionage. OPM was a US signal failure, as China obtained SF-86s (“National Security Status Questionnaires”) for 19.7 million applicants for US government security clearance. Everyone with a security clearance must complete her SF-86. SF-86 requires sensitive personal information, and SF-86 data is far more valuable to counterespionage efforts than data available from data brokers.
Policymakers can only speculate about the motivations for China’s bulk commercial data purchases, but it is likely a mixture of paranoia and a desire for control by Chinese leaders. China has made significant efforts in data analysis and biometrics (facial recognition, fingerprinting, genetics, DNA) to create a comprehensive surveillance program, and in recent years these efforts have expanded beyond its own citizens. It seems that it is expanding. To be fair, major intelligence agencies around the world maintain extensive biographical databases on prominent national and international figures. Concerns about terrorism have led to the expansion of such collections in many countries, and a major (if not entirely rational) concern for some in the European Union is that the US National Security Agency (NSA) They were engaged in large-scale surveillance of Europeans. But while Chinese surveillance is unlikely, the U.S. program was usually carried out in cooperation with European governments for common counterterrorism interests. China has no such common rationale and its plans are not cooperative.
EO includes security issues for data transmitted over submarine cables. This is likely because eavesdropping on these cables allows mass collection of data. For all practical purposes, submarine cables are indefensible. Cables in the deepest parts of the ocean may be inaccessible, but all cables must be brought ashore, and the shallower the water, the easier the cables are to be interrupted and harder to protect. A fishing trawler can do this. It is technically difficult to touch an undersea cable and collect the traffic passing through it, but if the collector owns and operates the cable (or, as in Article 7 of the Chinese Espionage Law, the owner If you can force people to cooperate), the task becomes easier. Allowing possession by a hostile entity is a mistake. The inclusion of submarine cables may indicate some of the concerns that led to the issuance of the EO. This concern is not new, first coming to light in 2000 during a Committee on Foreign Investment in the United States (CFIUS) review of a Hong Kong entity’s proposed acquisition of submarine cable company Global Crossing. Global Crossing was informally blocked by CFIUS more than 20 years ago, but CFIUS appears to have felt the need to increase its authority to block the sale of undersea cables.
One concern is that the collection and analysis of large amounts of personal data could increase the ability to interfere in domestic elections. Another is that access to personal data could allow China to increase its recruitment of American spies. Both concerns appear to be overblown. During this decade, many individuals have been arrested and charged with Chinese espionage, but hacks such as OPM’s access to large amounts of personal information are unlikely, at least in cases where individuals are compromised. Doesn’t seem to be involved in this. Scouted by Chinese.
The easiest way to circumvent this EO restriction is for a hostile entity to use a third-party acquisition company, such as a data broker. Data brokers are in the business of selling data in bulk, sometimes for commercial purposes such as election campaigns. EO avoidance tactics are likely similar to money laundering, and the first-party acquirer of the data may not even know the ultimate recipient or intended use, making the “know your customer” requirement less helpful. The data broker sells to a company in another country, which in turn sells to another company in a third country, which in turn sells to a commercial company in China. It may also be possible to move data from the United States to another country using technology such as portable storage devices. Hostile entities can circumvent her EO’s control with a little ingenuity and funding.
This risk has not yet been identified. Traditionalists will be happy to learn that, judging by intelligence-related prosecutions, the most successful tools for recruiting operatives remain primarily dependent on money and sex (or sex and money) right. Both China and the United States have even released videos warning their citizens about this type of recruitment. But money and sex doesn’t seem to have superseded concerns that China and other countries will use illegally obtained personal data to identify economically or mentally weak individuals who meet requirements. is. Other technologies, such as those that rely on deepfakes (although there are no public examples of this, deepfakes are used for crime, politics, and ultimately espionage), are capable of processing large amounts of data. could benefit from subjecting it to some kind of artificial intelligence analysis tool.
Dissatisfaction, the most important characteristic for recruiting, cannot be obtained from large amounts of commercial data. Individuals are often more likely to be hired because they have some degree of dissatisfaction or dissatisfaction. Dissatisfaction is a bigger problem for China. Many Americans are dissatisfied, but that dissatisfaction does not translate into goodwill toward the Chinese Communist Party. If there is information or data to the contrary, the administration should make it public, at least in relation to prosecution. This is not a criticism of her EO, but an effort to temper expectations. It would be nice to have a national privacy law, but that remains on hold and EO is a useful alternative.
James A. Lewis is Senior Vice President and Director of the Strategic Technology Program at the Center for Strategic and International Studies in Washington, DC.
