Director of National Intelligence (DNI) Avril Haines, who oversees 18 separate agencies comprising the wider “intelligence community” - including the CIA, FBI, and NSA - has released a “policy framework for commercially available information.” It is not only the very first public confirmation by a US government official that Stateside spying entities acquire extensive data on private citizens from third-party brokers, but admission of this yield is deeply sensitive. While purportedly setting limits on the use of this information by spooks, the details are vague or non-existent.

“Commercially available information” (CAI) refers to data collected on individuals, typically by their smartphones, and the apps they use, sold by third parties. Via various sleights of hand and ruthless exploitation of regulatory loopholes, US intelligence obtained information not accessible by average citizens, which would typically require a court-approved search warrant to access. Yet, by purchasing this data from private brokers, spying agencies can still claim this snooping is “open-source”, based on “publicly available” records.

A particularly rich source of CAI is data hoovered from digital advertising. In-app and website adspace is sold on real-time bidding (RTB) exchanges, and location and other user data are often included as a bonus, to ensure optimal ad targeting. Many data brokers pose as advertisers in order to “scrape” the listings for user information, before selling it on for profit. The value of this data, and the malign purposes to which it can be put, are vast.

For example, an intelligence contractor once exploited data reaped from dating app Grindr to track the movements of gay government employees. RTB data has also been used by anti-abortion groups to track women who visit Planned Parenthood clinics in the US. More positively, RTB data has helped construct a dossier on child sex trafficker Jeffrey Epstein's associates, tracing smartphone device owners who visited his private island to addresses in the US and other countries.

‘Personal Attributes’

As Haines’ framework notes, “commercial entities are collecting and aggregating unprecedented amounts of personal data” presently, “from a variety of sources.” This includes “cell phones, cars, household appliances, and other personal devices.” This information is then made available “to a diverse set of purchasers, including for-profit and nonprofit entities, foreign adversaries, and domestic and transnational organizations.” The US “intelligence community”, the director admits, routinely avails itself of the opportunity to “access, collect, and process” this CAI.

CAI is routinely used “in pursuit of mission imperatives, and the information often provides critical intelligence value,” Haines claims. Yet, “these datasets can reveal sensitive and intimate personal details and activities,” she concedes. The admitted wealth of data the CIA et al. can access on private citizens via third-party brokers is nothing short of disturbing. For example:

“Personal attributes, conditions, or identifiers traceable to one or more specific US persons, [including] race or ethnicity, political opinions, religious beliefs, sexual orientation, gender identity, medical or genetic information, financial data, or any other data the disclosure of which would have a similar potential to cause substantial harm, embarrassment, inconvenience, or unfairness to the person or persons described by the data.”

Furthermore, CAI can include “data that captures the sensitive activities” of target individuals and groups. “Sensitive activities” are defined as any “that over an extended period of time establish a pattern of life; reveal personal affiliations, preferences, or identifiers; facilitate prediction of future acts; enable targeting activities; reveal the exercise of individual rights and freedoms.” Terrifying stuff - but Haines’ framework offers little to no clear guidance on how the purchase and use of CAI by US intelligence agencies will be restricted.

Tracking users in REAL-TIME

The document claims “additional clarity” will protect citizen privacy, although none is offered in its contents. Disquietingly too, spy agencies themselves are tasked with formulating “safeguards that are tailored to the sensitivity” of CAI they collect, and produce annual reports on their use of this data. There is no requirement for intelligence services to delete any old purchased data under any circumstances - even if it was erroneously collected - and most concerningly of all, no restrictions on what information can and can’t be purchased. 

This is particularly concerning, given it is clear certain smartphone apps have been willing to take directions from private intelligence firms and data brokers on what information to collect on their users, which is then passed via the third parties to US spying entities. It has been confirmed that MuslimPro, which offers a daily prayer calendar and a compass pointing towards Mecca, surreptitiously started tracking users’ locations at the direct request of a broker, which subsequently sold this information on to government clients.

Other brokers predominantly, or exclusively, serve state organisations. This includes Babel Street - an “AI-enabled data-to-knowledge company” - which provides US agencies, including the DEA, ICE, IRS, Secret Service, and Treasury Department with location data, and “integrated communications” firm Barbaricum. A $5.5 million contract the company was awarded by ICE in 2020 refers to its ability to “geolocate individuals beyond standard geotagging,” “monitor and analyze all social media activities” across every platform, including “foreign/dark web/deep web social media networks in REAL-TIME [emphasis in original].” 

Elsewhere, the contract refers to how Barbaricum can create “psychological profiles” of targets, and “identify whether a user has deleted messages and provide content from deleted accounts and/or deleted messages.” Prior to the publication of the Director of National Intelligence’s “policy framework,” the extent of CAI spying activities by US spies was unknown. It was necessary for independent researchers and campaign groups to piece together a rough outline from limited publicly available records.

Now, the same agencies that used and abused private user data with total impunity for years are being granted responsibility for crafting their own internal policies for what is and isn’t acceptable to intercept, analyse, exploit, and act upon. Be afraid. Be very afraid.