Government to Crack Down on Foreign Adversaries Stealing Americans’ Personal Data

Bad actors could exploit this data to conduct cyberattacks, strengthen their military capabilities, or even track and profile U.S. individuals, including military members, intelligence personnel and federal employees, say the architects of the measure. They could also target and exploit activists, academics, journalists, dissidents and others for intimidation or suppression.

Currently, these countries can purchase our biometric, human, economic, health, financial, precise geolocation data and certain personal identifiers through commercial means, according to the press release. This data could be used in blackmail and espionage, but the rule will restrict, and in some instances prohibit, access to the above data through certain transactions.

The ruling also details how foreign adversaries could stifle political opposition and limit American freedoms as well as support broader efforts to suppress civil liberties. Russia, for example, largely succeeded in sowing discord ahead of the 2016 elections by targeting various demographics with disinformation on social media.

How Bad Actors Could Weaponize AI Against the Public

With the advent of AI, a greater concern is how this data could be fed into advanced computing and neural networks to discern information the human mind cannot. AI can be used to divine patterns from seemingly unrelated data sets.

An academic study quoted in the ruling stated that “foreign and malign actors could use location datasets to stalk or track high-profile military or political targets.” This information could be used to expose military bases, undisclosed intelligence sites or even troop build-up.

Last year, a team of investigative reporters at Wired showed how this data could be exploited by using personalized ad data (screenshot below) to track U.S. Government contractors, intelligence personnel and soldiers inside Büchel Air Base, a strategic military base.

According to the investigation, reporters gathered information beyond basic data and working hours; it highlighted entry and exit points, frequently visited areas and tracked personnel to off-base locations, divining house locations.

The French newspaper Le Monde claimed it could track the highly classified locations of President Biden, Vice President Harris and President Trump by mining data from the fitness apps their security details use. Foreign adversaries looking to exploit US national security could easily use this information to their advantage.

What About TikTok?

The Final Rule outlines key details on the categories of transactions that are prohibited, restricted, or exempt and sets bulk thresholds for sensitive personal data.

It also introduces processes for obtaining licenses for transactions that would otherwise be prohibited or restricted and designates “covered persons.” Though maybe less effective, it issues advisory opinions and establishes protocols for recordkeeping, reporting, and due diligence.

However, it does not impose requirements for storing Americans’ sensitive data or U.S. government data within the United States. Nor would it prohibit or restrict medical, scientific or other types of research in countries of concern, as long as no payment or consideration is exchanged in covered data transactions. Nor will it disrupt commercial transactions, including data exchanges when selling goods or services internationally.

The bottom line is that it generally avoids broader measures that could disrupt consumer, economic, scientific, or trade relationships with other countries.

For influencers concerned about how the new rule will have zero impact on TikTok. It doesn’t ban or propose any new restrictions on social media platforms, for that matter. It only addresses “the national security risks––not the broader domestic privacy challenges posed by social media.”

‘Powerful New National Security Program’

Assistant Attorney General Matthew G. Olsen of the Justice Department’s National Security Division called the ruling a “powerful new national-security program designed to ensure that Americans’ personal data is no longer permitted to be sold to hostile foreign powers.”

The rule will take effect 90 days after publication, with “certain affirmative compliance obligations” being phased in 270 days later.

To read more about the ruling you can find it here, with a fact sheet found here.