President Biden Blocks Mass Transfer of Personal Data to High-Risk Nations
29.2.24 BigBrothers The Hacker News
U.S. President Joe Biden has issued an Executive Order that prohibits the mass transfer of citizens' personal data to countries of concern.
The Executive Order also "provides safeguards around other activities that can give those countries access to Americans' sensitive data," the White House said in a statement.
This includes sensitive information such as genomic data, biometric data, personal health data, geolocation data, financial data, and certain kinds of personally identifiable information (PII).
The U.S. government said threat actors could weaponize this information to track their citizens and pass that information to data brokers and foreign intelligence services, which can then be used for intrusive surveillance, scams, blackmail, and other violations of privacy.
"Commercial data brokers and other companies can sell this data to countries of concern, or entities controlled by those countries, and it can land in the hands of foreign intelligence services, militaries, or companies controlled by foreign governments," the government said.
In November 2023, researchers at Duke University revealed that it's trivial to "obtain sensitive data about active-duty members of the military, their families, and veterans, including non-public, individually identified, and sensitive data, such as health data, financial data, and information about religious practices" from data brokers for as low as $0.12 per record.
Stating that the sale of such data poses privacy, counterintelligence, blackmail, and national security risks, it added hostile nations could collect personal information on activists, journalists, dissidents, and marginalized communities with the goal of restricting freedom of expression and curbing dissent.
The government said the countries of concern have a "track record of collecting and misusing data on Americans." According to the U.S. Justice Department, the countries that fall under this category include China, Russia, Iran, North Korea, Cuba, and Venezuela.
The Executive Order directs the federal agencies to issue regulations that establish clear protections for sensitive personal and government-related data from access and exploitation, as well as set high-security standards to limit data access via commercial agreements.
Additionally, the order requires the Departments of Health and Human Services, Defense, and Veterans Affairs to ensure that Federal grants, contracts, and awards are not misused to facilitate access to sensitive data.
"The Administration's decision to limit personal data flows only to a handful of countries of concern, like China, is a mistake," Senator Ron Wyden said in a statement, and that the argument that the U.S. government cannot be banned from buying Americans' data is no longer valid.
"Authoritarian dictatorships like Saudi Arabia and U.A.E. cannot be trusted with Americans' personal data, both because they will likely use it to undermine U.S. national security and target U.S. based dissidents, but also because these countries lack effective privacy laws necessary to stop the data from being sold onwards to China."
The latest attempt to regulate the data broker industry comes as the U.S. added China's Chengdu Beizhan Electronics and Canadian network intelligence firm Sandvine to its Entity List after the latter's middleboxes were found to be used to deliver spyware targeting a former Egyptian member of parliament last year.
A report from Bloomberg in September 2023 also found that Sandvine's equipment had been used by governments in Egypt and Belarus to censor content on the internet.
Access Now said Sandvine's internet-blocking technologies facilitated human rights violations by repressive governments around the world, including in Azerbaijan, Jordan, Russia, Turkey, and the U.A.E., noting it played a "direct role" in shutting down the internet in Belarus in 2020.
"Sandvine supplies deep packet inspection tools, which have been used in mass web-monitoring and censorship to block news as well as in targeting political actors and human rights activists," the U.S. Department of State said, explaining its rationale behind adding the company to the trade restriction list. "This technology has been misused to inject commercial spyware into the devices of perceived critics and dissidents."