ODNI guidelines for handling commercially available data to be released ‘any day,’ DOD official says

The Office of the Director of National Intelligence (ODNI) is on the cusp of releasing new recommendations for guiding the intelligence community on how to consider ethics when acquiring commercially available data that often incorporates sensitive personal information on Americans, a top Pentagon official said Tuesday.

A “framework” featuring nine principles to assist the intelligence community, or IC, in zeroing in on and weighing privacy threats that could surface when buying data from data brokers is set to be released imminently, Department of Defense (DOD) Associate Deputy General Counsel for Intelligence Lindsay Rodman said at an event hosted by U.S. Cyber Command.

Rodman acknowledged that adding structure to the IC’s longtime purchase of commercially available information (CAI) is of critical importance since the ability to buy vast amounts of sensitive data on the open market presents “privacy concerns.”

“There's basically a whole rubric of requirements for doing that analysis and then putting appropriate safeguards in place,” Rodman said of the coming ODNI report.

The DOD's Lindsay Rodman said legislation to restrict the government's ability to buy CAI from data brokers without a warrant would create "serious obstacles." Image: DOD

How U.S intelligence agencies procure and use CAI ranges widely in terms of sensitivity, Rodman and other panelists said, citing how everything from weather information to geolocation data sold by third parties falls under the umbrella. 

Legislation in Congress known as the Fourth Amendment is Not for Sale, which is designed to gut the U.S. government’s ability to buy CAI from data brokers without a warrant, could receive a vote as soon as this week. 

Rodman made clear that she and the IC oppose that legislation, saying it could create “serious obstacles” to their work.

In November, Duke researchers released a report showing that several data brokers sold individually identified data, including sensitive health and financial information for military service members for as little as 12 cents each.

They also peddled bulk data for individuals within geofenced military facilities such as Quantico, the report showed.

DOD is building its own framework laying out policies for how and when to buy CAI, but Rodman noted that few DOD and IC missions requiring data involve U.S. citizens.

“There isn't a sort of deep hunger to obtain this information beyond what is mission-enabling,” Rodman said.

But she acknowledged that there are “certain missions that do require digging into this information and, for those, that's [where] we need the extra safeguards in place.”

Still, Rodman said, she speaks with people at DOD and the IC who do not want to sweep up personal information on Americans unless it is vital, particularly due to safeguards which makes its use difficult to navigate.

“There's no one sitting in the department who's like, ‘Ooh, I really want your personal information, that’d be so awesome,’” she said.

However, ODNI released a report in June, acknowledging that it buys large amounts of data on U.S. citizens without oversight and admitting that the practice raises privacy concerns.

“In a way that far fewer Americans seem to understand, and even fewer of them can avoid, CAI includes information on nearly everyone that is of a type and level of sensitivity that historically could have been obtained” only through “targeted” collection methods such as wiretaps and physical surveillance, the report said.

A spokesperson for ODNI said it is committed to working in a way that is “protective of privacy and civil liberties, and we are finalizing a framework that lays out standards and processes governing the intelligence community’s access to, and collection and processing of, commercially available information.”