We’ve seen companies like Apple lean into protecting private data as a selling point for their products and states like California and Virginia attempt to regulate consumer data when faced with inaction on the federal level. Data privacy is much discussed, but there have been few moves from Congress to comprehensively regulate the collection, use, and storage of consumer data.

The resulting fragmented approach has created a confusing patchwork of regulations and opened up several national security vulnerabilities that foreign governments, including China and Russia, can use to surveil Americans, track intelligence assets or military personnel, develop targeted biothreats, perfect AI systems, and target influential figures.

The Alliance for Securing Democracy’s media and digital disinformation fellow Bret Schafer and Lindsay Gorman teamed up with civic tech entrepreneur Clara Tsao and Harvard’s Dipayan Ghosh to explore national security vulnerabilities in the online information ecosystem in a series of papers. Today we released the second paper in the series, The Weaponized Web: The National Security Implications of Data, which focuses on the lack of protection for personal data in the United States.

The report’s authors write that it’s “time to stop admiring the problem and focus instead on concrete solutions.” They make five legislative policy proposals to address national security vulnerabilities related to the collection, use, security, and transfer of personal data.

  1. Require third-party data brokers to register with the FTC (or a newly established data protection authority), pay annual registration fees to fund enforcement, disclose ties to foreign governments and corporations, and establish limits on the types of data that can be sold to third parties without explicit user consent.
  2. Limit the acquisition and sale of biometric and genomic data (e.g., facial recognition images, fingerprints, DNA) to exclude certain covered foreign entities.
  3. Require more of companies that amass citizen data by tying cybersecurity requirements to the amount and type of data collected, processed, or stored.
  4. Pass a small business cybersecurity tax credit.
  5. Require companies to notify a federal authority, such as CISA, of a breach, including the type of incident, soon after the company becomes aware of the intrusion.  

You can read the data paper here: https://securingdemocracy.gmfus.org/national-security-implications-of-data/.

You can read the first paper in the series, which focuses on the digital advertising ecosystem, here: https://securingdemocracy.gmfus.org/levers-in-the-digital-advertising-ecosystem/

Please reach out to press@securingdemocracy.org if you are interested in speaking to the authors.