The lack of adequate personal data protection in the United States poses a significant threat to national security. Data privacy and protection are often pitted against efforts to stimulate the U.S. economy. To bolster the economy, companies have been afforded the opportunity to amass, aggregate, and share vast quantities of the population’s personal data for profit with limited restrictions under U.S. law. California, Virginia, and Colorado serve as exceptions, as their residents’ data is subject to data protection laws that bear some resemblance to the EU General Data Protection Regulation (GDPR).

The data amassed and aggregated by U.S. companies can create detailed maps of individuals’ personal and professional lives. Companies can have access to sensitive personal data, like sexual orientation, political affiliations, and health information; locations, movements, and routine activities; and personal employment information, like work roles and responsibilities. The United States even enables certain companies to serve as “data brokers,” allowing them to collect and consolidate individuals’ personal data and sell or license it to third parties—in whole or in part—for a fee. U.S. law also does not prohibit government agencies and non-profit organizations from consolidating government employees’ salary and pension data and making it available in publicly searchable databases.

Data breaches or leaks also contribute to the availability of personal data online. This data is typically posted on the clearnet and darknet, either for free or for a fee. For example, following the 2020 Facebook breach, more than 267 million user profiles were sold on the darknet. In addition to data obtained from breaches or leaks, new and emerging technologies also contribute to the sheer volume and variety of data available for use by third parties, be they U.S. companies, foreign adversaries, or other third parties interested in this information. Take, for instance, the Internet of Things (IoT) devices that have been deployed in homes, businesses, government agencies, and even critical infrastructure sectors across the United States. These IoT devices contribute to the existing vast quantities and types of available data shared and/or otherwise made available to third parties. In 2018, Strava, a company that offers an app and website that tracks physical fitness, brought home the lesson that IoT data can pose a risk to national security. That year, Strava published a world heat map online with the running routes of users. Even though the information posted could not be traced back to individual users, the heat map revealed movements on and around remote U.S. military bases in foreign countries. The use of this app and similar apps on smartphones, as well as the use of IoT fitness wearable devices, can thus be particularly problematic for those who are stationed on military bases or work in positions and areas where the tracking of their movements could place them, their organization, and others in danger.

Further, the collection, storage, and sharing of personal data increase the vulnerabilities of this data, the risk of unauthorized access, and the likelihood of use by interested third parties. This data is valuable not only to the companies who use and sell this information but also to criminals and foreign adversaries. Personal data can be used by criminals and foreign adversaries to target specific individuals. For example, publicly available databases with information about government salaries and pensions can make the employees included in these databases targets of criminals—for instance, scammers targeting the elderly with pensions—and foreign adversaries, who may use this information, along with other information, to identify potential intelligence assets.

Personal information obtained from data breaches can be used to engage in cyber-dependent crimes (e.g., hacking, malware distribution, and DDoS attacks) and cyber-enabled crimes (e.g., computer-related fraud, such as phishing). Spearphishing attacks, which are a targeted form of phishing, can be used to obtain more personal data from targets, even financial information, and can be used to trick targets into clicking on links that could download malware onto computers or other technological devices, which would give perpetrators access to those devices. This tactic has been used by foreign adversaries to gain access to defense contractor and U.S. government systems, as well as critical infrastructure sectors.

The data breaches over the last few years, as well as the types and quantities of data accessed during these breaches, demonstrate the desirability and widespread vulnerabilities of personal data to cyber-dependent and cyber-enabled crimes. Without personal data protections, there will only be more of these cybercrimes. This trend will continue in the future unless actions are taken to ensure that personal data protections are adequately addressed. Personal profits of companies should not be prioritized over personal data protection. Ultimately, this practice has adversely impacted U.S. national security, and it will continue to do so unless a change is made in current data protection practices across the United States.

Marie-Helen Maras is an Associate Professor at the Department of Security, Fire, and Emergency Management and the Director of the Center for Cybercrime Studies at John Jay College of Criminal Justice. She holds a DPhil in Law and an MPhil and MSc in Criminology and Criminal Justice from the University of Oxford. Her academic background and research cover cybersecurity, cybercrime, and the legal, political, social, and economic impact of digital technology. She is the author of numerous peer-reviewed academic journal articles and books, the most recent of which is Cybercriminology (Oxford University Press), and serves as a consultant and subject matter expert on cybercrime and cyber organized crime at the United Nations Office on Drugs and Crime.

Image: Reuters.