The Biden administration is preparing an executive order aimed at curbing the ability of foreign governments to access sensitive personal data on Americans that could jeopardize national security, one current US official and one former US official familiar with the matter told CNN.
Foreign efforts to exploit Americans’ data represent an “unusual and extraordinary threat” to national security and foreign policy, the draft text of the order says, according to the US official.
The directive — which sources said could be finalized and issued in the coming weeks — tasks US officials with putting new restrictions on transactions for personal data that can often be easily and legally acquired online right now. The order is expected to cover cellphone location data, genetic information and health records, all of which could allow foreign intelligence services to build a detailed picture of US government employees, the officials told CNN.
Bloomberg News first reported on the draft executive order.
The National Security Council at the White House declined to comment on the draft executive order.
A surge in the amount of intimate personal information on US citizens that can be bought and sold online has alarmed lawmakers and senior US officials focused on national security. The concern is that US adversaries, particularly China, are augmenting traditional sources of intelligence like codebreaking and human sources by simply going online to shop for it.
A US intelligence report declassified last year described personal data for sale online as an “increasingly powerful” tool for intelligence gathering by US and foreign spying agencies that also represents a privacy risk to ordinary people.
“If reports are true, the White House is doing the right thing by taking steps to protect Americans’ sensitive data from being sent in bulk to foreign countries without strong privacy rules,” Sen. Ron Wyden, an Oregon Democrat who has sponsored legislation to impose restrictions on the sale of Americans’ personal data, said in a statement.
Wyden said he hoped the final text of the executive order, among other things, applies to data held by US subsidiaries of foreign companies. He cited TikTok, the wildly popular social media platform that has offices in the US but whose parent company is headquartered in China.
A lot of the online trade in personal information runs through so-called data brokers, which buy information on people’s Social Security numbers, names, addresses, income, employment history and criminal background as well as other items. The data can be used to conduct legitimate information surveys, such as background checks and credit checks, but also become potent fodder for surveillance in the wrong hands.
The apparent home addresses and health conditions of thousands of active-duty US military personnel can be bought cheaply online from data brokers, researchers at Duke University found in a study published in November.
“To the Chinese and Russian governments, it would be child’s play to set up a front website or company, deceive some US data brokers, and purchase sensitive data about clearance-holders or other Americans of interest,” Justin Sherman, who led the Duke study, told CNN on Tuesday.
The task for any US policy response “lies in developing the right regulatory regime and risk criteria to understand which data transactions and activities pose unacceptably great risks,” Sherman said.
For more CNN news and newsletters create an account at CNN.com