Data Brokers Threaten National Security. The Consumer Financial Protection Bureau’s Fair Credit Reporting Act Rulemaking Can Reduce the Threat.

Data brokers—companies that aggregate and sell our personal data—are a well-known threat to privacy. But data brokers do more than degrade our privacy; they also pose a serious threat to national security. Data brokers routinely build extensive dossiers of information on Americans, including members of the armed forces and others in national security posts. Much of that personal data is collected as we browse the internet and use online services, including sensitive location records, health information, biometric data, and financial information. Many companies extract and sell that information to data brokers, who in turn compile records, draw inferences, and resell datasets and dossiers to willing buyers—whoever they may be.

This lawless data broker ecosystem allows foreign adversaries to purchase detailed records about individuals, which puts service members and other government officials at risk and can reveal sensitive national security information like patrol routes around military bases. Further, bad actors can use information obtained from data brokers to blackmail or use phishing tactics to obtain state secrets from service members or government officials. Data brokers pose a serious threat to national security which must be addressed.

The Consumer Financial Protection Bureau (CFPB) has outlined proposed rules pursuant to its authority under the Fair Credit Reporting Act (FCRA) which would limit how data brokers collect and share information. These rules would reduce the capability of foreign adversaries and bad actors to obtain sensitive personal information with national security implications from data brokers, cutting off the flow of personal data at the source.

The Bureau announced its interest in a FCRA rulemaking in March 2023 and released an overview of the regulations it’s considering in September. EPIC filed comments at both stages. The CFPB is expected to issue a proposed rule, or Notice of Proposed Rulemaking (NPRM), later this year. Members of the public will have an opportunity to submit comments, and the CFPB will consider the comments it receives while formulating a final rule.

How data brokers threaten national security

Researchers have highlighted several troubling ways in which data brokers threaten national security. For example, Duke University researchers found that data brokers are selling sensitive data, including names, addresses, geolocation records, religion, net worth, and health information, about active-duty military members, veterans, and their families. The researchers contacted U.S. data brokers and were able to purchase American service members’ records for as little as $0.12 per record. The Irish Council for Civil Liberties found that foreign adversaries can obtain sensitive data about U.S. service members, politicians, and other high-profile figures through the real-time bidding system used by data brokers to target online advertisements. In 2018, Strava released a global heat map showing user activity records, and researchers and activists found that the heat map could be used to identify the locations of military bases and patrol routes, as well as identifying information for the service members who used Strava in those locations.

What is government doing to address the threat data brokers pose to national security?

In February 2024, President Biden issued an executive order which authorized the Attorney General to prevent large-scale transfer of Americans’ personal information to “countries of concern.” And in April 2024, President Biden signed into law the Protecting Americans’ Data from Foreign Adversaries Act of 2024, passed by Congress as part of an emergency supplemental appropriations bill. The Act prohibits data brokers from selling, transferring, or providing access to Americans’ sensitive data to certain foreign adversaries or entities controlled by foreign adversaries. These measures may make it more difficult for foreign adversaries to obtain sensitive personal data from Americans, but the risk of circumvention remains.

How the CFPB’s FCRA rulemaking can address the threat

The regulations the CFPB is considering would update existing FCRA rules to tighten how data brokers can use and obtain information. The amended rule would reduce the threat that data brokers pose to national security. Specifically, the CFPB’s regulations would clarify that a wide range of data brokers are within FCRA’s scope. As a result, covered data brokers would only be able to collect consumer information for permissible purposes set forth under the FCRA, and they would only be able to share data they collect with third parties when there is a permissible purpose to do so. Limiting data collection and sharing by data brokers would help to ensure that sensitive personal data with national security implications does not end up in the wrong hands.

Reducing the availability of personal data available for purchase would limit the information that foreign adversaries and bad actors can obtain and use to undermine national security. Minimizing the data that brokers amass and sell in the first place is a far stronger national security safeguard: you don’t have to protect what you don’t collect.