In late February 2024, the Biden Administration issued its long-awaited Executive Order to protect the personal data of Americans from foreign threats by restricting access to Americans’ bulk data by “countries of concern,”  when such acquisition would “pose an unacceptable risk to the national security of the United States.”  Though governments were cited as the primary impetus for the Order, it did reference entities that may be influenced or directed by governments to engage in this type of massive information collection.  Data includes, but is not limited to, biometric data, personal health, geolocation, financial information, and other forms of personally identifiable information.  Such information can be used for a variety of purposes depending on the intent of threat actors, such as cybercriminal activity, blackmail, continued surveillance, and online activity monitoring and tracking, among others.  The Department of Justice (DoJ) has been tasked with creating a framework of “clear protections for Americans.”

A key aspect of the Order is how it restricts those organizations that are in the business of collecting, selling, and even reselling the personal data of Americans, a practice that can straddle the fuzzy gray lines of legal/illegal.  In a related incident, the Federal Trade Commission (FTC) found that Avast, an antivirus security company, had collected the browsing data of its customers, storing it without notifying them that it was doing so, before selling it to more than 100third parties – something from which the company claimed to protect its customers.  The FTC charged Avast a USD $16.5 million fine to settle the charges.  And while data brokers selling such information to other marketers and companies is bad enough, the potential to sell it to countries like China or Russia for other nefarious purposes is even more worrisome.  

Foreign intelligence services have long been believed to frequently mine social media platforms in an attempt to harvest information that could be used to support other activities.  Indeed, China

has been reported harvesting Facebook and Twitter for information on targets of interest.  The work of data brokers ostensibly replaces a lot of these early collection efforts, allowing spying resources to be allocated to other areas.  China has been linked to some of the largest cyber espionage collection of U.S. personnel data, including the Office of Personnel Management

 (22.1 million), Anthem Healthcare (78 million), and Equifax (145 million).  So, it is evident why leveraging “legal” means to collect similar types of personal information would be in Beijing’s interest.  This helps explain the current controversy with the immensely popular Chinese app Tik Tok.  Per the platform’s privacy policy, Tik Tok “automatically collects certain information,” including “Internet or other network activity such as IP addresses, geolocation related data, unique device identifiers, browser and search history, and cookies.”  Given that Chinese laws mandate Chinese-owned companies to turn over user data if requested, this app (1 billion active monthly users) proves yet another avenue for bulk information collection for authorities.

So, curbing such bold collection is certainly a step in the right direction and an important one in acknowledging that all data is valuable, and can be used and exploited.  This is a worrisome truth, especially given the most unique data a person has:  DNA.  Thankfully, the Order takes this into account, identifying genomic data as a resource that needs to be protected at all costs.  This is important for the healthcare community and, in particular, the development of bioproducts in the future, which, according to the former U.S. top counterintelligence official, is a USD $4 trillion industry.  In the wake of the COVID pandemic, it is easy to see how such information could be exploited and engineered for the wrong purposes.  Giving credence to this concern, U.S. intelligence believes that Chinese companies are actively trying to acquire from U.S. persons, and in late January 2024, the U.S. Congress introduced legislation that would ban China’s largest genomics company from doing business in the United States for this very reason.  Hopefully, it isn’t too late.

However, the Order reveals the challenges ahead of trying to enhance personal privacy, especially as the United States struggles to promote an open Internet while protecting sensitive personal data.  On one hand, the DoJ developing framework would presumably ratchet up restrictions on how such data is used, stored, transmitted, and, most importantly, protected.  On the other hand, the Order states that the government would not engage in broad prohibitions such as requiring general data localization requirements or mandating that sensitive personal data be stored within the United States, for example.  It also states that it would not extend to any expressive activity on the part of Americans, allowing them to continue doing social media, messages, videos, etc.  This is a positive development, though it is unclear if it will have a long-term effect on foreign adversaries acquiring this type of data from third parties outside the United States.  It would be feasible to think that a foreign adversary could use those avenues to collect/purchase the information they seek.

What’s clear is that the Order is directed at those unnamed countries of concern, the usual suspects of the adversarial cyber world.  This has been made clear by numerous Intelligence Community testimonies before Congress and Annual Threat Assessments identifying the primary cyber threat actors and their pervasive activities.  Under this Order, it would make sense that a company like Tik Tok should be immediately in its crosshairs, for the very data collection activities it admittedly does as part of using its platform.  The Administration needs to make it abundantly clear that any company like Tik Tok will be scrutinized extensively for such practices and banned immediately if found to be in violation.  The U.S. government has officially banned its use on U.S. government devices, though Biden continues to use the platform to promote his presidential candidacy.  Though he maintains that he will sign a bill banning the device if Congress presents it to him, his continued use of it is indicative of perceived hypocrisy, or at the very least, mixed signaling.  The U.S. government stance needs to be very transparent to the world on these matters and the consequences that will result in others taking it seriously.

How the Order is rolled out is extremely important because this is the type of start that could ultimately and hopefully lead to a U.S. national data privacy law, which is so desperately needed.  With nine out of ten Americans considering online privacy to be a serious issue, the government needs to show it has heard their call.  Ideally, the DoJ will create a flexible framework that can adapt to the times; it makes no sense to do otherwise when it comes to addressing the most challenging of cyber issues.  The framework needs to be more than a thought piece on paper, and the actions it creates need to speak volumes louder than the words on which it is written.