US President Joe Biden has issued an executive order banning the mass transfer of citizens’ personal data to countries of interest.
The Executive Order also “provides assurances regarding other activities that may give those countries access to Americans’ sensitive data,” the White House said in a statement.
This includes sensitive information such as genomic data, biometric data, personal health data, geolocation data, financial data, and some types of personally identifiable information (PII).
The US government said threat actors could use this information as a weapon to track their citizens and transmit it to data brokers and foreign intelligence services, which can then be used for intrusive surveillance, scams, blackmail and other violations of privacy.
“Commercial data brokers and other companies may sell this data to countries of concern, or to entities controlled by those countries, and may end up in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments,” the government said.
In November 2023, researchers at Duke University revealed that it is trivial to “obtain sensitive data on active-duty members of the military, their families, and veterans, including non-public, individually identified, sensitive data, such as health data, financial data data and information on religious practices” from data brokers for as little as $0.12 per record.
Saying that the sale of such data poses risks to privacy, counterintelligence, blackmail and national security, he added that hostile nations could collect personal information on activists, journalists, dissidents and marginalized communities with the aim of limiting freedom of expression and curb dissent.
The government said the affected countries have “a track record of collecting and misusing data on Americans.” According to the US Department of Justice, countries that fall into this category include China, Russia, Iran, North Korea, Cuba and Venezuela.
The Executive Order directs federal agencies to issue regulations that establish clear protections for sensitive personal and government-related data from access and exploitation, as well as establish high security standards to limit access to data through commercial agreements.
Additionally, the order requires the Departments of Health and Human Services, Defense, and Veterans Affairs to ensure that federal grants, contracts, and awards are not misused to facilitate access to sensitive data.
“The administration’s decision to limit the flow of personal data to only a handful of countries of concern, such as China, is a mistake,” Senator Ron Wyden said in a statement, and that the argument that it cannot be prevented for the US government to purchase Americans’ data is no longer valid.
“Authoritarian dictatorships like Saudi Arabia and the United Arab Emirates cannot be trusted with Americans’ personal data, both because they are likely to use it to undermine U.S. national security and target dissidents residing in the United States, but also because these countries do not have the effective privacy laws needed to prevent the data from being disclosed to China.”
The latest attempt to regulate the data broker industry comes as the US added China’s Chengdu Beizhan Electronics and Canadian network intelligence firm Sandvine to its Entity List after the latter’s middleboxes were found to have been hacked. used last year to deliver spyware against a former member of the Egyptian parliament.
A September 2023 Bloomberg report also found that Sandvine’s equipment had been used by the governments of Egypt and Belarus to censor content on the internet.
Access Now said Sandvine’s internet blocking technologies have facilitated human rights abuses by repressive governments around the world, including Azerbaijan, Jordan, Russia, Turkey and the United Arab Emirates, noting that they have played a “direct role” in the Internet shutdown in Belarus in 2020. .
“Sandvine provides deep packet inspection tools, which have been used in mass web monitoring and censorship to block news, as well as to target political actors and human rights activists,” the US State Department said , explaining the rationale behind adding the company to the trade restricted list. “This technology has been misused to inject commercial spyware into the devices of perceived critics and dissidents.”