ODNI Introduces Framework for Handling Commercially Available Information
On May 8, the Office of the Director of National Intelligence (ODNI) introduced a policy framework aimed at standardizing how the Intelligence Community (IC) deals with commercially available information (CAI). This data, often collected from personal devices, cars, and social media, is available for purchase from various commercial sources. The ODNI’s new framework includes principles for acquiring and safeguarding CAI, especially sensitive information, and mandates cataloging of purchases and usage by IC agencies.
This move highlights a rising awareness within the IC about the privacy risks posed by the acquisition of CAI. While the framework aims to standardize practices and improve transparency, it does grant substantial discretion to agencies, potentially limiting its effectiveness. The framework also stops short of prohibiting the purchase of data that would otherwise require legal processes such as warrants, court orders, or subpoenas.
Growing Concerns
A June 2023 declassified report revealed that intelligence agencies have increasingly been purchasing large amounts of personal information. The surge in this practice is tied to advances in digital technology and the advertising-driven surveillance model prevalent in the internet industry. Although much of this data is theoretically protected by privacy laws, agencies have often bypassed these safeguards by buying data from commercial brokers, sidestepping legal requirements as highlighted in the Carpenter v. United States ruling.
General Principles for Handling CAI
The ODNI framework outlines nine general principles for IC agencies when acquiring and using CAI, emphasizing that privacy and civil liberties should be integral considerations. Agencies are required to establish policies that adhere to these principles, which include assessing the quality of data, implementing safeguards, and ensuring transparency to the public and oversight bodies.
Despite their importance, some principles merely reiterate constitutional requirements, raising questions about their added value. The framework’s allowance for agency discretion in applying these principles could potentially undermine privacy protections.
Handling Sensitive CAI
The framework specifies how to handle sensitive CAI by first defining what qualifies as sensitive. Information considered sensitive includes substantial volumes of personally identifiable information (PII) or data that reveals intimate details about individuals. However, the definition lacks clarity on certain categories of highly sensitive information like biometric data and internet browsing history.
Minimum standards for acquiring and safeguarding sensitive CAI include assessing privacy risks and implementing protective measures, but allow waivers in exigent circumstances. While these standards aim to protect privacy, the framework does not establish firm rules, leaving much to the agencies’ discretion.
Documentation and Reporting Requirements
The framework mandates that IC agencies document their acquisition and use of sensitive CAI to improve transparency and accountability. This includes detailing the purpose, source, and volume of data acquired, as well as any safeguards applied. Agencies must report this information to ODNI annually, which in turn is required to update Congress and provide public reports biennially.
Future Considerations
Despite its strengths, the framework’s primary shortcoming is its failure to prohibit the purchase of data that would otherwise require legal processes to obtain. Legislative measures like the Fourth Amendment Is Not For Sale Act and the Government Surveillance Reform Act aim to address this gap by restricting the purchase of certain sensitive information and imposing stricter oversight.
The ODNI framework acknowledges the need for strict rules for government acquisition of CAI but creates its own subjective guidelines rather than adhering to existing legal standards set by Congress and the courts.