The order is designed to prevent data brokers and other companies from selling access to large stores of geographic information, genomic information and other sensitive personal information to buyers in “countries of concern” such as China, Russia and Iran, administration officials told industry and civilian institutions. Community experts. The upcoming order was first reported by Bloomberg News.
Federal officials have for years expressed concern about the risk that information purchased legally from data brokers or stolen by hackers working for foreign governments could be used to spy on or blackmail high-value targets in the United States, such as lawmakers and military personnel. The Washington Post reported in 2021 that China, for example, is mining Western social media, including Facebook and X, to provide its security services with information on foreign targets.
Recent developments in artificial intelligence have also raised concerns that data could be analyzed in more powerful ways to enable profiling and espionage, including of activists, journalists and political figures. Meanwhile, new laws in China have restricted foreigners' access to data that was previously available to Western academics, researchers and companies.
China's seizure of tens of millions of Americans' data, whether through hacking or purchasing companies, has long been a source of concern to US officials. The massive Chinese cyber breach of federal employee records, discovered in 2014 and the Marriott hotel database a few years later, and its combination with existing intelligence and commercially available information, raised concern that Beijing – and to some extent Moscow – was building a capacity to track individuals, including… Including undercover CIA officers.
One former senior US official, who spoke on the condition of anonymity due to the sensitivity of the matter, said there were “serious negative consequences” as a result of these violations.
Now that vast stores of personal genomic, geolocation, health and financial data are commercially available, officials worry that foreign adversaries could simply purchase information in bulk from intermediaries without users' knowledge or consent. For example, there are no laws that would prevent a genomics company from contracting with a Chinese company to sequence its genetic samples.
James A. said: Lewis, a technology policy expert at the Center for Strategic and International Studies: “In China, they use large-scale data collection for surveillance and repression.” “The concern is that they may use Americans' data for malicious purposes.”
Meanwhile, some analysts said, the order may be difficult to implement and implement, requiring the government to find a way to track commercial data flows on a global scale.
“In the face of a persistent and sophisticated foreign adversary, would this be effective in denying them access to this data?” asked Nigel Currie, associate director of trade policy at the Information Technology and Innovation Foundation. “At this point, it is difficult to see how what the administration is doing will be targeted and effective enough to do that.”
Other analysts fear that what the Biden administration intends as a narrow, targeted system could encourage future presidents or other governments to more forcefully exert their influence over the world's most powerful communications medium.
“My impression is that the administration doesn't want to fragment the Internet,” said Sam Sachs, a fellow at Yale Law School's Paul Tsai China Center, adding that the categories of data in the executive order appear limited for now. “But these could expand as we play whack-a-mole” with new types of data collection, she added.
Administration officials declined to comment, as the order has not yet been issued. But they said in briefings that such a move is necessary in the absence of a national data privacy law, which would regulate the collection and sale of Americans' sensitive information. They note that the executive order only begins the months-long rulemaking process through which industry and civil society groups can offer suggestions and criticism.
The order was also motivated by concern that the government has limited capacity to deal with threats of foreign data misuse. Today's most prominent track—the interagency group known as the Committee on Foreign Investment in the United States—has the authority to review and block individual foreign business deals on national security grounds. The committee said it needs a comprehensive policy to guide decisions in areas related to companies that collect sensitive personal data. The Justice Department, which reviews some telecommunications licenses for national security risks, has similar concerns.
The order would not extend to any “expressive” activity such as social media posts, messages or videos by Americans on platforms like TikTok, the popular video app whose ownership by Chinese tech giant ByteDance has led to heated debates in Washington about national security. And freedom of expression.
The order will not target any one company, like TikTok. However, if an app collects information in large amounts that is considered sensitive because it can help identify a person and their habits, such as geolocation data, that information cannot be sent to any country of concern, experts say.
For each category of restricted data, the administration will specify the amount beyond which transfer is prohibited — for example, a certain number of U.S. individuals for genomic data — and a certain number of devices on which geolocation data is collected.
The most sensitive categories include people's DNA and biometric data, as well as computer keyboard usage patterns. It is not intended, for example, to prevent an American from sending DNA to the genomics company 23andMe to find out if she has distant relatives in China, although the company would be prohibited from selling data in bulk to China or from working with Chinese processing. They said firmly.
US officials have noted that BGI Group, a Chinese company with an American subsidiary, runs the National Gene Bank of China, a massive government-owned repository that now includes genetic data drawn from millions of people around the world. Intelligence officials say they believe Chinese companies are trying to obtain DNA from Americans.
“Genomic data will provide a blueprint for future biotechnology products and capabilities to grow the economy, but if in the wrong hands, it can also be used as a weapon to create engineered pathogens or be misused to identify and target individuals,” said Michele Ruzo, vice president of the center. The National Security Committee on Emerging Biotechnology is mandated by Congress. “Genomic data is a strategic resource, and the United States must treat it as such.”
The order will cover aggregated data that is exchanged as part of a company investment, acquisition or contract, although there may be exceptions if the data exchange meets certain cybersecurity and privacy requirements. The order would exempt the normal financial activities of multinational companies or federal contractors, such as a company or government agency that processes payroll data for employees in the countries in question.
Some Commerce Department officials expressed concern that the plan could undermine trade or economic activity, including by imposing complex new requirements on companies with international operations, some experts said. Administration officials said the order was worded narrowly to minimize its negative impact.
Experts say enforcement will be challenged by determined adversaries seeking to purchase data through third parties in countries outside the United States. “What about using proxies?” Corey said. “How do you expect companies to do their due diligence to try to figure out who the ultimate owner of an entity is? How can they do that with so many different transactions involving the types of data they're concerned about?
Whatever rule is ultimately adopted, it is important that it is flexible enough to adapt in the future, he said. “This is uncharted territory,” Corey said.
Kate Brown contributed to this report.
