diff --git a/_collections/_hkers/2023-06-13-defence-industry-in-northern-ireland.md b/_collections/_hkers/2023-06-13-defence-industry-in-northern-ireland.md new file mode 100644 index 00000000..a4bb0293 --- /dev/null +++ b/_collections/_hkers/2023-06-13-defence-industry-in-northern-ireland.md @@ -0,0 +1,365 @@ +--- +layout: post +title : Defence Industry In N. Ireland +author: Isabella Antinozzi and Trevor Taylor +date : 2023-06-13 12:00:00 +0800 +image : https://i.imgur.com/kFPM1Lr.jpg +#image_caption: "" +description: "Leveraging Untapped Potential" +excerpt_separator: +--- + +_In light of UK policy pledges to give defence a more regional footprint, this paper explores the extent of defence activity in Northern Ireland, a region that exhibits considerable defence potential yet has benefited only marginally from defence expenditure in recent years._ + + + +### Executive Summary + +Since 2015, the Ministry of Defence (MoD) has been explicitly directed to contribute to UK prosperity and, since then, it has consistently emphasised that the whole of the country should benefit from defence spending. The defence industry is economically important to many areas of the UK, and defence policy must be consistent with an industrial strategy that promotes jobs and skills throughout the UK’s regions and nations. In light of these policy pledges to give defence a more regional footprint, this paper explores the extent of defence activity in Northern Ireland (NI), a region that exhibits considerable defence potential yet has benefited only marginally from defence expenditure in recent years. + +The paper finds that: + +- NI is a long-contested region of the UK and experienced decades of violent sectarian conflict between the late 1960s and the late 1990s. The shadow of this conflict, some local political parties’ antipathy to the defence industry and a historical trend towards unequal regional MoD spending have considerably affected the defence demographics of NI today, resulting in little work being located there. However, a series of contextual and business changes are underway involving three prominent businesses with considerable defence potential: Thales, an experienced defence-focused business unit; Harland & Wolff, a heavy engineering firm at the centre of the National Shipbuilding Strategy’s aim of regenerating the shipbuilding sector; and Spirit AeroSystems, a high-technology aerospace company looking to expand into the defence space. + +- In addition to these three larger companies, the NI defence sector comprises many small to medium-sized enterprises (SMEs) operating predominantly in the digital manufacturing and technology sectors. Despite the customer focus and agility that they add throughout the defence supply chain, these smaller companies still feel that defence is a particularly difficult market to access. They experience several difficulties, some largely common to small firms across the country and others peculiar to the NI context. + +- Another key industrial asset in NI is its civilian aerospace legacy. The relevance of this sector is enhanced by the growing inter-relationships between the civil and military sectors. In an era where information capture and analysis are central to defence capability, surveillance and communications systems are often deployed on and in civil aircraft. In the uncrewed air systems domain, such systems are increasingly used for civil and military purposes. Thus, NI suppliers with certified qualities should explore and be considered for work in both the defence and civil sectors. + +- In addition to a strong civilian aerospace pedigree in the region, defence can also leverage NI’s vibrant cyber security sector. In the years since the Good Friday Agreement, NI has become a hotspot for cyber-security innovation, with cities such as Belfast and Derry/Londonderry exhibiting high technology specialists and consistently attracting domestic as well as overseas investment. Through its cyber-security clusters and academic centres of excellence, NI has developed beyond the average UK science and technology capabilities, nurtured science, technology, engineering and mathematics skills and established leading R&D programmes. These activities are the basis for generating military and security capabilities and other tangible and intangible assets, which are themselves levers of national power and influence. + +In all, NI exhibits considerable defence potential, with three prominent businesses at the top of the supply chain that can, together with the extensive range of SMEs in the region, create an opportunity to promote NI, not as part of the problem set of UK defence and security, but as a valued contributor to its management and solution. The MoD should be monitoring the situation and looking for further opportunities to support local stakeholders, as the current UK government ambition that the whole of the UK should benefit from defence activity is clearly not being met. This should be a particular concern of those in the MoD focused on prosperity and also be in the consciousness of all involved with defence spending with the private sector. + + +### Introduction + +There is a growing interest in the place of defence, especially the defence industry, in the UK economy. The Ministry of Defence (MoD) has been directed to contribute to national prosperity since the 2015 National Security Review. A study on defence in the economy by former defence procurement minister Philip Dunne was published in 2018. Recognised data limits in turn prompted the creation of the Joint Economic Data Hub (JEDHub) within the Defence Solutions Centre, whose initial report was published in 2022. The government’s 2021 Defence and Security Industrial Strategy (DSIS) included economic considerations among a range of wider factors. + +There has long been awareness of regional variations in the economic impact of defence work, but a parliamentary exchange in 2020 between Dunne and Secretary of State for Defence Ben Wallace made clear that the government is aware of local and regional considerations and aspires to see benefits for the whole of the UK. + +> The Secretary of State for Defence (Mr Ben Wallace): The MOD makes procurement decisions based on security, capability requirement, cost, supply chain and other social value considerations and will continue to do so. The November 2020 changes to the Green Book will ensure that there is an increased focus on setting clear objectives and consideration of location-based impacts. MOD footprint and spend is widely distributed across the UK and future procurement will continue to reflect this. + +> … + +> While the end-of-year rules were not changed, the recent £24.1 billion multi-year settlement with the Treasury will now allow the MOD to invest in next generation military capability across the whole United Kingdom. + +In Parliament, the Scottish Affairs Committee has devoted extended attention to defence in Scotland, but there has been little systematic information about the defence industry in Northern Ireland (NI), a gap that this paper seeks to fill. + +#### Aims and Objectives + +This paper examines the main challenges related to conducting defence business in NI as well as the key players in the region’s defence industrial landscape. It explores this landscape with a focus on three objectives: + +1. To collect, digest and explain information on the current position regarding spending on defence industry in NI. + +2. To assess the ambition and potential of businesses in NI to do more in and for the defence sector. + +3. To generate suggestions for government action to facilitate the ambition that the whole of the UK should benefit from the defence budget. + +The paper focuses primarily on the defence sector and on traditional defence players in NI. The security industry in NI is diversified, offering products and services to numerous government departments and organisations, as well as a broad spectrum of clients in the private sector. In contrast, the MoD is frequently the only buyer of specialised defence goods. Although it has thousands of suppliers for a wide range of products and services, many of which are not naturally associated with military capability, it typically purchases defence equipment from a limited number of much larger prime contractors who are able to handle the complex financial, technological and engineering requirements of delivering highly complex systems. These suppliers are the focus of this research. Government policy shapes the UK defence industry’s market much more than that of the security industry. Due to the MoD’s special relationship and ability to shape the market, this paper primarily focuses on the defence sector in NI and on the activities of Tier 1 and 2 suppliers therein. The extent and importance of the security sector in NI, and particularly cyber, is nonetheless addressed in Chapter IV. + +#### Methodology + +The research for this paper included a targeted review of academic literature on regional defence spending, as well as of grey literature (for example, reports from industry associations, defence company websites, UK government websites, innovation organisations and independent research organisations) in order to provide a considered, well-referenced analysis. The researchers also spent a week in NI speaking to industry associations, and industry prime and lower-tier suppliers. “Lower tier” refers to mid-tier, mid-sized and small SMEs – that is, non-prime defence contractors. Interviewees within these companies were selected on the basis of their knowledge of the topic, with a snowball sampling drawing from a network of defence companies in the region provided by Aerospace, Defence, Security & Space (ADS), a UK-wide industrial association. A list of the organisations and stakeholders whose insights have informed this research are in the Annex. Where possible, interview data was triangulated with open source references. The identities of those providing information and the organisations they work for have been kept confidential to facilitate their ability to speak freely, with exceptions related to those who explicitly agreed to be identified. + + +### I. Defence Procurement and the Levelling-Up Agenda + +Equipping the armed forces to deliver their outputs is one of the most critical, demanding and complex tasks faced by the UK government. The procurement of military equipment has never been a simple matter of seeking to buy the “best kit” for the military, as defence procurement can be an important factor in a nation’s economic strength, making contributions beyond the pure military instrument. Defence spending often plays a key role in anchoring regional economies, including providing opportunities to communities in otherwise economically deprived areas by, for instance, promoting employment and the development of specialist knowledge, skills and expertise, or by promoting regional investment opportunities through defence-related exports. As such, procurement decisions can have ramifications for the dynamism of regional ecosystems. + +Since 2015 and even before, the UK government has sought to include many of these considerations in explicit policy frameworks such as sector strategies, most prominently the DSIS. Since 2015, the MoD has been centrally directed to use its funding, in part, to promote national prosperity. Dunne’s report in 2018 argued that procurement decisions should not rest on cost alone, and that consideration should also be given to the prosperity impact on local economies when making procurement decisions. The Defence in a Competitive Age 2021 paper stressed how defence benefited the whole of the UK, including employment, publishing numbers that aggregated the benefits in Scotland, Wales and NI. The DSIS further reinforced the multiple benefits linked to defence procurement. + +In 2023, the government aims to use defence procurement for the pursuit of multiple objectives that were well summarised in the Land Industrial Strategy published in 2022 (see Figure 1). + +![image01](https://i.imgur.com/2XyTQQ6.png) +_▲ __Figure 1: Elements of the Land Industrial Strategy Objectives Framework.__ Source: [MoD, “Land Industrial Strategy: Fusing Our Capability and Industrial Objectives”, 2022](https://assets.publishing.service.gov.uk/government/uploads/system/uploads/attachment_data/file/1076392/Land_Industrial_Strategy.pdf), p. 27._ + +The economic impact of defence spending can be negative when expenditure is excessive, but it clearly generates employment and can involve the generation of skills for the civil economy. Defence spending on R&D can yield technologies that are valuable in both the military and civil sectors. And a not-trivial consideration is the significant proportion of defence funds spent in country that are returned to the Treasury in the form of income and other taxes. Long-term defence projects also encourage participating firms to invest in manufacturing facilities that can then have civil uses. In 2023, very few of these benefits apply in NI, a situation that this paper attempts to analyse. + + +### II. The Defence Business in Northern Ireland: Background + +This chapter discusses the macroeconomic situation in NI and reasons for the limited defence spending in the region. + +#### Economic Background and NI Defence Share + +Across a broad range of economic and social metrics, geographic differences in the UK are large in absolute terms and have widened over recent decades. NI is a region of just over 1.9 million people, and accounts for 2.8% of the UK’s population. It was once well known for shipbuilding and the linen industry, but these industries have experienced a severe decline. NI is the poorest performing UK region for productivity, almost 20% below the UK level, and is falling behind, with a lower level of productivity growth relative to the UK average. + +Mirroring these disparities, the UK defence sector has historically been characterised as exhibiting a north–south divide, with southern regions of the UK receiving the major share of defence expenditure and employment. This trend continues, and throughout the 21st century NI has benefited minimally from defence spending. According to the Office for National Statistics, total annual MoD expenditure with UK industry was just over £21 billion in 2021/22, with NI receiving 0.5% of the total (see Table 1). + +![image02](https://i.imgur.com/Am7GVjX.png) +_▲ __Table 1: MoD Total Spending with UK Industry and NI Share: 2013/14 to 2021/22 (in Current Prices).__ Source: [MoD, “Finance–Economics: Annual Statistical Bulletin: Regional Expenditure”, “Table 2: MOD Expenditure with UK Industry in Current Prices by Region”](https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fassets.publishing.service.gov.uk%2Fgovernment%2Fuploads%2Fsystem%2Fuploads%2Fattachment_data%2Ffile%2F1130991%2FData_tables_relating_to_Finance__Economics_Annual_Statistical_Bulletin_-_Regional_Expenditure_-_2122.ods&wdOrigin=BROWSELINK)._ + +In terms of MoD spending per head in a region, the NI figure for the year 2021/22 was £60, while the national average was £310 (see Table 2). + +![image03](https://i.imgur.com/tTMXzPC.png) +_▲ __Table 2: MoD Spending with UK Industry Per Person: UK Average and NI Figures, 2013/14 to 2021/22 (in Constant Prices).__ Source: [MoD, “Finance–Economics: Annual Statistical Bulletin: Regional Expenditure”, “Table 5: MoD Expenditure Per Person with UK Industry in Constant 2020/21 Prices by Region”](https://view.officeapps.live.com/op/view.aspx?src=https%3A%2F%2Fassets.publishing.service.gov.uk%2Fgovernment%2Fuploads%2Fsystem%2Fuploads%2Fattachment_data%2Ffile%2F1130991%2FData_tables_relating_to_Finance__Economics_Annual_Statistical_Bulletin_-_Regional_Expenditure_-_2122.ods&wdOrigin=BROWSELINK)._ + +With a population of over 1.9 million, the latest (2023) report by the MoD’s JEDHub shows that Northern Ireland accounted for 0.8% of national defence private sector employment. A report by the MoD in 2022 showed that in terms of direct defence-related employment, in 2020/21, for every 100,000 people in full-time employment in NI, just 60 of these jobs were UK defence related. The equivalent number for Scotland was 640 and for the southwest of England it was 2,060. The January 2023 edition of the same government report did not include the figures on this topic. While recent new streams of work for Thales and Harland & Wolff for missiles and Fleet Solid Support ships work are likely to boost direct employment associated with MoD spending, the figures for 2019/20 show that Northern Ireland only accounted for 500 of the 125,000 jobs supported by UK defence in total. + +#### Reasons for Low NI Defence Expenditure + +There are a number of reasons why the NI defence industry is not as vigorous as that of other regions. These include the commercial failings of past defence establishments (leaving a minimal presence of defence primes in the province), sensitivities linked to the region’s past, and a historical trend towards unequal regional MoD spending. + +NI is a long-contested region of the UK, which experienced decades of violent sectarian conflict between the late 1960s and the late 1990s. This period, known as the Troubles, came to an end in 1998 with the creation of a power-sharing government that included political forces aligned with armed groups. As part of this settlement, known as the Good Friday Agreement, the British government committed to reducing the number and role of the armed forces deployed in NI, as well as to the removal of security installations and defence bases. Due to the extremely complex and sensitive legacy of NI’s past and the demilitarisation efforts envisaged by the Good Friday Agreement, conducting defence business in the region has not been easy. + +These difficulties, peculiar to NI, are also exacerbated by a trend of unequal regional MoD spending. This, coupled with the shadow of 30 years of conflict as well as some local political parties’ antipathy to the defence industry, has considerably affected the defence demographics of NI, resulting in little work located there. But a series of contextual and business changes are underway, and it is on these that this paper now focuses. + + +### III. Surveying the Potential of the NI Defence Industry + +This chapter outlines the activities of key Tier 1 and 2 suppliers in NI, as well as the opportunities and challenges faced by suppliers down the supply chain. + +#### Key NI Defence Industrial Players + +NI exhibits a vibrant industrial panorama with some key companies, including the US-owned aerospace company Rockwell Collins, whose NI subsidiary is focused on making seats for commercial aircraft, and Schrader Electronics, a US-owned electronics firm. Three firms with defence potential stand out: Harland & Wolff (H&W); Thales; and Spirit AeroSystems. + +__H&W__ + +In August 2019, H&W in Belfast went into liquidation with 79 employees. While having had a notable and extensive history in shipbuilding, including construction of the Titanic, it had been in a sustained decline. The last vessel it built for the Royal Navy was a Leander-class frigate completed in 1968. The last ship it built was Anvil Point, a roll-on roll-off ferry under an MoD Private Finance Initiative, which was delivered in 2003. + +Soon after liquidation, the firm was bought by a strategic infrastructure company, previously known as InfraStrata plc, for the modest sum of £6 million, under which it acquired a very large infrastructure in Belfast covering 81 acres that included drydock facilities able to take the largest military ships, including the UK’s aircraft carriers. There are other docking areas and two historic Samson and Goliath cranes. In terms of buildings, there are two enormous fabrication halls that were and could again be used to build whole ships and certainly ship blocks under cover, so long as investment in manufacturing plant was available. + +It is easy to be impressed by the entrepreneurial spirit of the new owners who have restored the H&W name, invested in new capabilities and found work that could take advantage of their infrastructure. In February 2023, a large tanker was in drydock to be painted and for other repairs, a Royal Fleet Auxiliary vessel was moored awaiting some attention, and one of the large halls had an installed computerised welding machine involved in the building of two dozen barges for the waste and recycling firm Cory. On occasion, large cruise ships come in for maintenance work. The workforce at the yard had grown significantly by February 2023 and there is an active recruitment programme in place, especially for apprentices. In April 2023, the firm had 65 apprentices working on site. + +Under the new ownership H&W has also grown by acquisition. In 2020, it bought the Appledore yard in Devon, which had been abandoned by its owner Babcock after its work on the Queen Elizabeth-class had been completed, along with an order from the Republic of Ireland for four patrol craft. When H&W took over Appledore in 2019 there was one employee, the site manager. In 2021, H&W also bought facilities on the east and west coasts of Scotland at Methil and Arnish, for which it had plans for offshore energy and defence work. + +H&W also shared in the confidence in the regeneration of the UK shipbuilding industry that was a feature of the government’s National Shipbuilding Strategy of 2017 and the refresh of that document that was published in 2022. + +In autumn 2022, H&W was a key element of the Team Resolute consortium that was named as the preferred bidder for the £1.6-billion contract to build three Fleet Solid Support (FSS) ships. The consortium was led by Navantia of Spain, which will provide the design (supported by BMT of the UK) and do some (possibly most) of the construction. Navantia is the prime contractor with ultimate (financial) responsibility for delivery of the vessels. H&W will begin by building at least the bow block of the ship in Belfast and other work will take place at Appledore. Capturing and enhancing the shipbuilding expertise that was formerly at Appledore, rebuilding capability in Belfast and building a positive relationship between the Appledore and Belfast sites will be important for both those sites and the FSS programme. Final assembly of the component blocks is planned for Belfast. Some sense of the weight of the work to be done by the H&W group (Belfast and Appledore) can be gleaned from the £700–800-million manufacturing contract that H&W signed with Navantia in early 2023. + +Overall, the choice of Team Resolute to deliver the FSS indicates that the MoD sought to tick the levelling up and prosperity boxes by providing opportunities to H&W but, at the same time, passed financial risk to Navantia in Spain by making it the prime contractor. + +In an uncomfortable session for the MoD, Vice Admiral Paul Marshall provided two pieces of reassurance for the Defence Committee. First, he specified how a workforce was to be generated for Belfast: + +> The mobilisation of the workforce is absolutely a key risk for the programme; it is probably the most significant risk that I see going forwards. There is a plan, first, to recruit workers into the yards. They will then go to Spain to be trained and upskilled before returning to the UK. Then, in a “train the trainer” kind of way, Spanish shipbuilders will help to train the UK workforce in the UK yards. On reducing that further, the procurement strategy of integration in a UK yard is a significant mitigation of the risk overall: we know exactly what our obligations are in the contract when it comes to not only producing the ship but how it is ultimately integrated and brought together at Harland & Wolff. + +Second, he stressed that delivery of social value elements was a contractual obligation in the contract with Navantia: + +> the threshold social value within the FSS contract is 10%—that is an obligation within the contract and it will be managed through the usual contract governance. + +Members of the Defence Committee expressed fears that H&W will be unable to acquire the skills and capability to deliver much work on the FSS, which will then result in most of the manufacturing taking place in Spain. Moreover, such a development could appear to be in Navantia’s commercial interest and seemingly limit its incentives to help out H&W. Another scenario is that H&W might generate a workforce by bringing workers from other parts of Europe. + +The owners of H&W cannot be criticised for their entrepreneurial spirit and ambition but, if things do not go well, those responsible for the selection and implementation of the procurement strategy should expect to be held to account for their choices. However, should the FSS project proceed on schedule, the MoD will have made a significant contribution to turning what had become an industrial wasteland near the centre of Belfast into a hive of activity with longer-term prospects. Indeed, if H&W can deliver to time and budget, technology and expertise will be transferred from Spain, and the company will be well placed to win fabrication and support work on other vessels, including defence ships. + +__Thales__ + +The Thales plant in Belfast has gone from relative neglect by government to near centre stage. + +Originally this plant was part of Short Brothers and was focused on missiles. By 1989, Short Brothers was a government-controlled, struggling company. With the government agreeing to take over Short Brothers’ debts, Bombardier of Canada agreed to buy the business for £30 million in 1989. The business also included aircraft development and production in a separate but relatively nearby site that today is owned and operated by Spirit AeroSystems in the US (see section on Spirit AeroSystems below). + +In 1993, Bombardier formed a missile 50–50 joint venture with Thomson-CSF of France (which was subsequently renamed Thales). Next, Bombardier strategically opted out of the defence sector and sold its share of the missile joint venture to its French partner Thales in 2000. Since then, Thales has run the Belfast plant along with a final assembly unit in the NI countryside which completes the missiles with propellant and explosive elements. + +Thales Belfast has three main products: Starstreak; Lightweight Multirole Missile (LMM) systems; and the Next Generation Light Anti-Armour Weapon (NLAW). Starstreak is a short-range, high-speed, ground-to-air missile system (which can also be steered to hit surface targets over three miles away) and can be fired from land or sea platforms. LMM is a lightweight, precision-strike multirole missile designed to be fired from a variety of tactical platforms on land, sea and air. LMM development began in 2008, building on technology from Starstreak. Qualification testing and initial production commenced in late 2011, following an initial contract by the MoD in April 2011, but progress was slow. It was integrated on to the Wildcat helicopter and fired from that platform in the early 2020s. + +The NLAW is a man-portable, anti-armour, tube-launched missile. This is a joint effort with Saab of Sweden, which produces many of the weapon’s internal components with Thales doing final assembly as well as some production work. The weapon came into service with the British Army in 2009. + +While government provision was made for the assured UK production of small arms ammunition, most recently in the Next Generation Munitions Solutions contract with BAE Systems, and for the development and production of a range of complex weapons (in the Complex Weapons Portfolio with MBDA in the lead), there was no commitment between 2013 and 2020 about sustaining the UK development, production and support capabilities of the munitions produced by Thales. Instead, there were just a number of individual contracts. The last reported MoD order for new Starstreak missiles was in 2013, although Thales received availability and upgrade contracts in 2018 (£98 million) and 2021 (almost £100 million). However, Thales was successful in winning exports, particularly in Thailand, Malaysia and Indonesia, and South Africa. Thales’ Paris headquarters gave the support, including in its move to diversify its capabilities into directed energy systems and electric power for space systems. + +Then, in 2022, Thales Belfast’s products became a vital asset for UK supplies to Ukraine. The Russian invasion of Ukraine showed once again what 21st-century conventional inter-state war could look like. It underlined the value of inexpensive weapons that could bring down helicopters and low-flying, fixed-wing aircraft (Starstreak) and anti-tank weapons (including NLAWs), which played an important role in denying Russian hopes of a quick victory. The operational value of both weapons has been reliably reported, with Wallace observing: “These next generation light anti-tank weapons have played a decisive role in supporting Ukraine’s army to drive back Russia’s illegal invading forces”. + +But in such a war, very large numbers of these weapons are needed. As a result of UK NLAW supply to Ukraine from British stock, the UK has needed to replace and perhaps enhance its own holdings and will also likely want to send more supplies to Ukraine. In April 2022, the MoD contracted for 500 weapons to be delivered in 2023 and in December 2022 it placed a £224-million contract with Thales and Saab for many more NLAWs for delivery in two and three years’ time. Wallace said: + +> Secured through Defence Equipment and Support – the MoD’s procurement arm – today’s agreement will see several thousand units delivered to UK Armed Forces across 2024–2026, in addition to around 500 being delivered in 2023 through a separate procurement. + +While the experience of the Ukraine war has much enhanced recognition of Thales Belfast’s strategic significance, its economic impact should not be overlooked. In 2023, the company, by now with over 600 employees, pointed out that: + +> Thales contributes £35 million to Northern Ireland’s GDP with Thales Belfast’s staff average pay in the top 10% of all employees in Northern Ireland. Thales Belfast also supports an ecosystem of suppliers and 91% of our local procurement in Northern Ireland is with small to medium enterprises (SMEs). + +Thales Belfast’s future seems assured while the Ukraine war lasts, but thereafter much hinges on how the MoD and the Army decide to prioritise defence funds. Will they emphasise the sort of modest-cost munitions which are the focus in NI and look to build larger stocks than before, justified by deterrence arguments and the value of capabilities for sustained warfighting? Might they also look to Thales for capabilities to surge production rates in times of crisis? Will they fund work so that the munition performance can be regularly improved, enabling the company to sustain a capacity for R&D? What place will international collaboration play in such matters? Alternatively, will complacency be restored with peace in Ukraine and neglect of mid-range munitions return as a feature of UK defence procurement? + +In 2023, the signs are at least promising: Thales is developing and producing its next generation multi-role missile to be mounted on UK ships, land vehicles and helicopters and in 2021, Thales Belfast was a significant part of the consortium awarded a contract to work on the development of laser weapons, which the company said would protect 140 jobs and allow the creation of 40 more. With support from Thales headquarters, Thales Belfast is also investing in space technologies, dealing particularly with electric propulsion, and has prompted the establishment of a regional special interest group of some 30 smaller companies. + +__Spirit AeroSystems__ + +Spirit is a US-based company that was formed when Boeing sold off its factory in Wichita and its Oklahoma operations in 2005. In the US, Spirit is a major supplier of structures for the 737 and Boeing remains Spirit’s main customer. + +Things went awry in March 2019 when the latest version of this aircraft, the 737 Max, was grounded for 20 months after two crashes, and even in 2021 some doubts remained about its safety. Then in 2020, the Covid-19 pandemic virtually stopped the civil aviation business in its tracks with, at that time, no date visible for its recovery. + +These developments prompted Spirit to decide both to reduce its reliance on Boeing and to diversify its products to include defence. In the US, it has won work designing and producing aerostructures on militarised civil aircraft, notably the KC-46 and the P-8A, but also on the CH-53K and V-280 helicopter and tilt rotor and the B-21 bomber. It has invested in composites capable of high-temperature operations and with potential for hypersonic flight. + +Spirit bought BAE Systems’ aerostructures business in Prestwick in Scotland in 2006, and a key step in the move to a wider customer base was the purchase of Bombardier’s businesses in NI in 2020. + +Today the core of Spirit’s work in Belfast is construction of the fuselage and other structures for Bombardier business jets and advanced composite wings for the Airbus 220. This aircraft has proved a strong commercial success, and by January 2022, there had been 680 orders and 194 deliveries, yielding an order backlog of 486. + +Spirit Belfast’s production of Airbus 220 wings, which are largely made from composite materials, has benefited from extensive capital investment in production machinery including autoclaves and is a large and impressive facility. The factory uses a Spirit-owned resin injection technique which supports the creation of complex one-piece, highly loaded structures. These technologies have potential for wider defence applications. + +Spirit’s aim to become a defence supplier also to the UK had initial success when in 2021, it led a team including Northrop Grumman UK and Callen–Lenz, a small UK UAV firm, in winning a £30-million MoD contract to design and produce a prototype of the Spirit-led Mosquito project, the envisaged Lightweight Affordable Novel Combat Aircraft, a “loyal wingman” system which would serve as an uncrewed platform to work with the planned Tempest manned aircraft. A first flight was envisaged by the government for 2023. However, the government ended the project at the design stage, having concluded that “more beneficial capability and cost-effectiveness appears achievable through exploration of smaller, less costly, but still highly capable additive capabilities”. + +However, Spirit’s UK defence ambitions have not been abandoned and its interest in uncrewed aircraft remains very positive. Reflecting its commitment, it has seconded staff to the Defence Solutions Centre and joined the club of companies associated with the Future Combat Air System, the Tempest-plus concept which includes adjunct platforms. Spirit, with its composites expertise in defence missionised structures (such as SAAB GlobalEye), is also a member of the Airbus-led team bidding for the New Medium Helicopter, a replacement for the Puma and other platforms. + +In the US, the Spirit AeroSystems company has extensive engineering expertise focused on composites but not restricted to them. Where appropriate, and subject to the International Traffic in Armaments Regulations (ITAR) and government-to-government discussions, transfer of such capabilities to the UK may be possible. Obviously, the US export control machinery covering dual-use goods and the ITAR will need to be carefully navigated, but in general, that regulatory system does not cover the management expertise that a company can bring to its subsidiaries. Also, the company has a set of growth aspirations around their defence and space strategies for unmanned, next-generation aircraft, effects, space and hypersonics. + +Spirit’s interest in uncrewed air systems (UAS) remains strong and the role played by such vehicles in the Ukraine war has been striking. A large variety of UAS have been and are being developed for multiple functions and the potential for strong, lightweight and affordable composite structures in this domain is apparent. Composites might also be associated with low-maintenance stealth features in future air systems. As can be seen in the Ukraine conflict, UAS are prompting multiple efforts in counter-drone technologies and systems which threaten to reduce the viability of many of the simpler UAS on the market. A “drone–counter drone” competition is underway. It is in their capacity to navigate through these long-term issues that larger companies such as Spirit have an advantage over smaller firms that are focused on specific platforms that can be generated relatively quickly but whose utility may be of short duration. The target should be to link small-firm agility with the resources and wider perspective of larger businesses. + +#### An SME-Dominated Economy + +NI is marked by the predominance of small businesses with no easy geographic links with major defence or other large manufacturing entities outside the region. The latest NI business activity, size, location and ownership statistics, released by the Northern Ireland Statistics and Research Agency for 2022, show that NI remains “predominantly a micro-business economy, with almost 90% of businesses having less than 10 employees. Just over one-quarter of businesses in NI had turnover of less than £50,000, whilst 70% had turnover of less than £250,000”. These are similar to the ratios found in the UK economy as a whole, but what makes NI unusual is the relative absence of large manufacturing companies to serve as SME customers and the recent growth in SMEs sufficiently interested in the defence and security sector to have joined ADS. + +![image04](https://i.imgur.com/CdscwV3.png) +_▲ __Figure 2: Percentage of Businesses Operating in NI by Employee Size Bands, 2022.__ Note: The majority of businesses (89%, 70,510) in NI were micro-businesses (fewer than 10 employees). Just over 2% (1,640) of businesses had 50 or more employees. Source: [Northern Ireland Statistics and Research Agency, “Northern Ireland Business; Activity, Size, Location and Ownership, 2022”](https://www.nisra.gov.uk/system/files/statistics/IDBR-Publication-2022_0.pdf), p. 3._ + +Indeed, the predominance of small businesses characterises the NI defence sector, where the majority of the local defence supply chain is made up of SMEs. For instance, Thales Belfast, the major defence prime which supports an ecosystem of suppliers, reports that 91% of its local procurement in NI is with SMEs. + +In the British government’s view, SMEs bring a unique customer focus and agility that add value throughout the defence supply chain, contributing to its diversity and resilience. Across the UK in 2019–20 “they contributed work worth over £4.5 billion to defence projects, accounting for over 21% of Defence’s total spend with industry”. + +This importance is reflected in the DSIS, which sets out an ambitious vision for the future of MoD’s relations with industry. By recognising the UK’s defence industry is a strategic capability “in its own right”, the DSIS placed particular emphasis on the need to maximise opportunities for SMEs to do business with the MoD given their key role in enabling technology pull through and guaranteeing supply chain resilience. However, particularly in NI, these smaller businesses face real challenges in trying to move into defence. To assess them, interviews were conducted with individual companies and industrial bodies, and wider information was collected. The points below reflect those interviews, but many of the difficulties noted are common to small firms across NI. + +- __Difficulties in outreach beyond their region.__ Geography and travel costs still matter, particularly for smaller businesses. One of the recurring difficulties reported by NI SMEs is linked to the distance of the region from London and southeast England, and the consequent difficulties in carrying out a straightforward personal conversation with figures in the MoD and Defence Equipment and Support (DE&S) without travelling to London, which can imply what are seen as significant financial costs. Similarly, the costs of getting to meet-the-buyer events and trade shows, which often but not always take place in the southeast of the UK, put a financial burden on these companies. This factor should be seen in perspective – while there are plenty of return airfares from Belfast to London that cost less than some second-class train fares within the UK mainland, a sense of distance has a psychological dimension, in addition to further costs such as hotel bills. Moreover, literature on the benefits of industrial clusters of cooperating firms suggests that geographical proximity matters, especially when the clusters are concentrated near large firms. Clustering is important for the competitiveness of smaller companies because of the advantage it creates in the value chain. According to Ebru Caymaz: + +> Clusters offer SMEs advantages for innovation through communication networks and strategic partnerships, increase their competitiveness at the international level, enable them to benefit from the input pool of large enterprises, develop new strategies and production techniques, and increase workforce skills. + + In terms of formal meetings, online participation can be a substitute, but it does not enable the informal, lunch and coffee break discussions that can be so useful. Thus, geographic separation from the commands, the MoD and the DE&S, as well as from most defence industrial events, is a real consideration for NI’s defence SMEs. + +- __Meeting security standards and classifications.__ Across the UK, for those SMEs that are not yet in the defence space but aspire to pursue defence-related contracts, a key challenge is obtaining security clearances for people and facilities. Corporate and individual applicants for security clearances need a sponsor that is already qualified. However, most briefings on emerging defence projects are classified, so a non-traditional defence supplier can find itself in a chicken-and-egg situation in which it would need to access the content of the briefing to see how its organisation could contribute yet cannot get access without a security clearance. + +- __Lack of awareness of the opportunities and support available for innovation and R&D.__ SMEs often do not have the capacity to research the opportunities for defence work, such as those offered by the Defence and Security Accelerator (DASA) and the Defence Science and Technology Laboratory (DSTL). Defence is a complicated, multi-faceted sector and it takes effort to understand customer and supplier structures. Even understanding how to present bids to the MoD requires knowledge and experience. While it is true that DASA awards grants to NI companies and its support has been transformative for some, DASA covers NI from Scotland. This means that it can lack the local knowledge necessary to tailor funding calls to actual needs in NI. As a result, some SMEs have noted that many calls for R&D projects seem to be for blue-sky research, rather than being clearly market driven. Importantly, SMEs are drawn to market-focused projects so that they can achieve a faster return on their investment. + +- __Lack of ownership and limited capacity to commercialise technology solutions.__ Local stakeholders reported that DASA funding can have a transformative effect on their business and engaging with DASA provides a valuable front door to defence. The difficulty lies, however, beyond the DASA phase, in finding product champions committed to scaling up their solution, which can lead to stilted adoption and limited enablement. Many SMEs in NI operate in the Internet of Things space, and the problem they encounter with defence is that there is no focus on continuous improvement, an inconsistent feedback loop and no interest in driving return on investment, which is unusual in the digital solutions space and might disincentivise such businesses from pursuing defence work. Although transformative, DASA contracts are only the beginning of the journey, and it is difficult for SMEs to promote the appetite for their solutions, both in the services and in the primes, once the DASA phase is completed. + +All the above leads to an overall reluctance from SMEs to pursue defence work. Further, there are several other generic aspects of governmental procurement in defence that do not favour SMEs. Government contract terms can require bidders to accept major liabilities in the event of implementation problems and these can potentially kill a business. SMEs are sometimes backed by venture capitalists who are looking for high profit rates on those firms in their portfolios which are successful, but high profits are not associated with government contracts. When the MoD proceeds without formal competition, the Single Source Regulations apply, restricting profit rates to around 10%. + +It is important to note that although these challenges were highlighted in author conversations with NI SMEs, many apply to all parts of the UK. The MoD also points out that many were addressed in its 2019 SME Action Plan and that it has taken a series of steps to facilitate and improve SMEs’ access to UK defence. A follow-up to the 2019 commitments was issued in January 2022. + +Thus, the apparent situation is that, despite the efforts of the MoD at ministerial level to improve its exploitation of what SMEs could bring, many companies in NI still feel that defence is a particularly difficult market to access. + + +### IV. Beyond Traditional Defence Players + +As discussed in previous chapters, NI has one Tier 1 defence firm (Thales), a large Tier 1 aerospace supplier (Spirit AeroSystems) and an aspiring Tier 2 defence shipbuilding firm (H&W). Each of these larger companies has the potential to mobilise smaller companies and/or non-traditional defence suppliers down the supply chain. The level of proximity and cohesion in the region means that more than 100 firms are within one hour’s drive of each other – a high density of suppliers across all elements of the aerospace supply chain, from design and manufacture (including capabilities in machining, composites and polymers), to coatings, assembly, certification and testing. + +#### Civil Aerospace + +NI enjoys an important civil aerospace legacy. Indeed, its aerospace and defence sector is a £1.5 billion industry employing an estimated 7,000 workers directly. According to media, “there are 60 firms in Northern Ireland whose manufacturing and systems already produce structures, components and services for nearly every commercial aircraft programme in the world”. The region also manufactures over one-third of all aeroplane seats and is a “global leader in survival technology”. Notably, in a region with less than 3% of the population of the UK, NI businesses won “one-third of the prestigious SC21 (Supply Chains for the 21st Century) Business Excellence Awards and 70% of the SC21 Gold Awards at the Farnborough International Airshow”. To achieve a gold award, a company must register a higher than 99% on-time delivery performance and 99.9% quality performance, as well as scoring more than 500 points in business, manufacturing and relationship excellence. Importantly, not only did Northern Irish companies such as Moyola Precision Engineering, Denroy and IPC Mouldings Ltd retain coveted SC21 Gold Standard status throughout the Covid-19 pandemic, but NI actually saw an increase in the number of companies attaining this standard during the crisis. + +These capabilities reflect the fact that NI was the first region in the UK to develop a bespoke strategy for aerospace, following the launch of Lifting Off in 2014, under the theme Northern Ireland – Partnering for Growth. The strategy was designed to establish the required supply chain structure and develop the capabilities of NI companies through supply chain excellence to increase productivity and competitiveness. To support these efforts, a key regional innovation hub was established, the Northern Ireland Advanced Composites and Engineering Centre (NIACE). Opened in January 2012, NIACE currently has 12 participating companies from a variety of sectors, including aerospace, automotive, defence, environmental and marine. The participating companies regularly collaborate with Queen’s University Belfast and Ulster University on joint research projects and on de-risking of research and development activities. Other initiatives, such as the National Aerospace Technology Exploitation Programme, encourage SMEs to collaborate with original equipment manufacturers (OEMs) in the industry to develop new technological capabilities. + +The relevance of this is enhanced by the growing inter-relationships between the civil and military sectors. In an era where information capture and analysis are central to defence capability, surveillance and communications systems are often deployed on and in civil aircraft. In the UAS domain, such systems are increasingly used for both civil and military purposes. Thus, NI suppliers with certified qualities should explore and be considered for work in both the defence and civil sectors. + +#### The Security Sector and the Role of Education + +In addition to a strong civilian aerospace pedigree in the region, defence could also make use of NI’s vibrant cyber-security sector. In the years since the Good Friday Agreement, NI has become a hotspot for cyber-security innovation, with cities such as Belfast and Derry/Londonderry exhibiting high technology specialism, consistently attracting domestic and overseas investment. + +The current cyber-security ecosystem in NI consists of more than 120 businesses that provide cyber-security goods and services. The Belfast city area is home to 84% of all NI cyber firms, which highlights the city’s status as a UK cyber hub with emerging technology specialists, ranked second in the UK and ninth globally in the top 25 Tech Cities of the Future for 2020/21. Belfast is “Europe’s leading foreign direct investment destination for new software development”. + +A recent study estimates that there are 2,299 cyber security employees currently within NI’s cyber sector, with an average income of £48,400 in 2020. This indicates that the sector currently contributes more than £110 million in yearly wages to the NI economy. This is significant since NI has long struggled with private sector productivity and wage levels. Cyber security is a big economic opportunity for the region, with salaries much exceeding the NI private sector median levels and offering a solid foundation for growing NI private sector productivity. + +This has attracted considerable investment, both domestically and overseas. The UK government has recently announced an £18.9-million investment in NI’s cyber security industry, including £11 million in government funding through the New Deal for NI, to establish a pipeline of cyber-security specialists in NI while also assisting firms and start-ups in developing new prospects. This surge of momentum behind cyber security in NI is helping to attract significant foreign investment, particularly from the US, a key investment partner, with 37 firms employing 1,432 cyber-security professionals (62% of NI-based cyber-security employment). This employment is significant as it has the ability to encourage skill development, increase investment in NI and have a positive impact on the larger ecosystem, not least in the defence space. Thanks to its vibrant cyber-security landscape, NI was recently appointed the new location for the next government-backed Digital Catapult Centre, with the aim of better showcasing NI’s tech capacity in areas such as advanced sensors, analytics and cyber security. + +Key to this success was the region’s promotion of strong connections between industry and education, championed by local institutions such as Queen’s University Belfast and Ulster University. Both are pivotal in nurturing a talent pipeline of trained security professionals and in producing industry engagement by embedding academic staff in industry and embracing an “open innovation model”. The aim of this model is to enable “research to translate to industry in an agile way, ensuring demonstrable technology is in the hands of end users quickly”. While more frequent in the security space, this collaboration model is now unfolding in relation to the defence sector too. For instance, the Centre for Secure Information Technologies (CSIT) at Queen’s University Belfast has recently partnered with BAE Systems on video-based semantic analysis of crowd behaviour, while Thales has used CSIT novel Physical Unclonable Functions technology in a demonstrator for electronic component anti-counterfeiting. The private sector must play its part in promoting the opportunities it offers, and emerging regional defence players such as H&W might wish to fill any awareness gaps there may be about, for instance, the scale of BAE Systems’ work with young people in Barrow, aimed at meeting its submarine-building skills needs. + +Advances in information technology and modifications to existing weapons with ISR systems means that the cyber and defence sectors are now deeply interrelated, as are the innovation challenges and skillsets required by both industries. Through its cyber-security clusters and academic centres of excellence, NI has developed beyond UK average science and technology capabilities, nurtured science, technology, engineering and mathematics skills, and established leading R&D programmes. These activities are the basis for generating military and security capabilities and other tangible and intangible assets which are themselves levers of national power and influence. + + +### Conclusions and Recommendations + +The research for this paper found considerable NI corporate interest in securing more work in defence. There are three different but complementary prominent businesses in the region: Thales, an experienced defence-focused business unit; H&W, a heavy-engineering firm at the centre of the National Shipbuilding Strategy’s aim of regenerating the shipbuilding sector; and Spirit AeroSystems, a high-technology aerospace company looking to expand into the defence space. Together with the extensive range of SMEs in the region, there is an opportunity to promote NI, not as part of the problem set of UK defence and security, but as a valued contributor to its management and solution. + +This paper has also identified the main challenges related to conducting defence business in NI. Understanding and mitigating these challenges and leveraging the capabilities of local defence establishments is key to improving NI productivity and prosperity, ensuring national resilience, and ensuring that the UK’s industrial base remains capable of delivering high-quality capabilities. This chapter presents conclusions and recommendations for possible next steps for UK defence to help tackle these challenges. + +#### Defence Spending Across the UK + +__Conclusion__ + +- It is axiomatic but not assured that behaviour within government should match the directions set in governmental policy. As noted early, the MoD direction is that the whole of the UK should benefit from defence spending. Until very recently, gain for NI was minimal and, even with the contracts with Thales and the FSS contract involving H&W, the immediate future will not be much different. + +__Recommendations__ + +- It would be beneficial to have a small team from the MoD tasked with understanding the business environment in the NI context and, in particular to gather data on the extent and complexity of regional supply chains and how to better integrate them in the broader UK defence industrial base. The intent would be to ensure that opportunities for securing useful work from NI firms are not overlooked. + +- This is a matter on which the House of Commons Defence Committee could keep a weather eye. To date, NI has received only modest attention from the Defence Committee in Parliament. Some members visited Belfast in February 2023, but this was not part of a formal evidence session and was primarily prompted by the need to look at the industrial agility of Thales for the delivery of NLAWs. Had Russia not invaded Ukraine and had Thales not been at the forefront of NLAWs supply, there would have been little interest in the defence enterprise in NI. The last Defence Committee visit to NI took place in 2016. The Committee has little hard power, but when it identifies and publicises an issue it can prompt the MoD to direct attention to it. + +#### The Three Major Defence Opportunity Firms + +__Conclusion__ + +- The three major defence-related firms in NI find themselves in a new situation, although the nature of each situation is different. Thales’ factory is emerging as a clear player in the munitions issues that have been exposed by the conflict in Ukraine. H&W faces the challenges of re-establishing an industrial shipbuilding capability that will require the recruitment and training of a workforce and the modernisation of its infrastructure. Spirit AeroSystems is seeking to break into further defence activity using its expertise in composite materials and aerospace. + +__Recommendations__ + +- While Thales has been awarded a contract to replace weapons supplied to Ukraine, its plant in Belfast needs to be recognised as a key element in the UK position on defence capability, operational independence and military sustainability. While longer-term munitions measures dealing with enhanced stock levels, production surge capabilities and international cooperation are emerging as matters for urgent attention, the MoD needs to recognise that the Thales plant will require a long-term drumbeat of development and production work to maintain it as a thriving entity. + +- For H&W, the DE&S and National Shipbuilding Office should not stand back, adopt a hands-off stance and simply see what happens with the FSS project. With the FSS contract, the DE&S has pursued its normal practice of passing as much financial risk as possible to the contractor. However, Navantia could seek to reduce its financial risk by bringing as much work as possible into Spain. Commercially that could be a rational stance. Members of the Defence Committee have already made clear their concerns that Navantia would not be unhappy to keep H&W in a junior role and do most of the work in Spain. But from a UK government perspective, the FSS contract signals a wider aim of increasing prosperity and social value in NI as well as generating additional industrial shipbuilding options for the future. By judging the Navantia bid to have been the best, the MoD has put its own reputation on the line. Thus, the UK governmental bodies should be both monitoring closely how H&W are progressing in Belfast (and Appledore) and looking to see what support and guidance they can provide to H&W. + +- Spirit AeroSystems UK is the UK entity of a much larger US parent which actively supports the defence development of its UK business. Its capabilities and strategic direction, including its stated readiness to grow by investment in the UK, are noteworthy. Its expertise in the development and production of composite structures means that it should be studied in detail by technical experts in government and the private sector. In order to make sense of Spirit’s potential, the MoD will likely have to rely not just on DSTL and DASA but also on its QinetiQ-led Aurora contract. The MoD should also recognise the need to protect any intellectual property that Spirit shares. One issue for government is whether Spirit should be operated as a competitor to GKN Aerospace and its partners in composite development for aerospace, or whether they should be encouraged to collaborate. + +- A specific issue relates to the UK government direction in the DSIS that its forces should enjoy operational independence and that British society should enjoy economic benefits from defence procurement. UK reliance on US systems for surveillance and intelligence (the P-8A, Wedgetail, Reaper and Rivet Joint) makes clear the limitations on these ambitions. Working with Spirit on defence applications should not deepen UK vulnerability to export restrictions, especially the International Trade in Armaments Regulations, but the import of Spirit management and generic technology exploitation for defence could mean significant levelling up and prosperity benefits for NI. It could also support the export of specialist defence sub-systems to the US. + +#### Improving the Regional Representation Mechanism + +__Conclusion__ + +- There are now few military units in NI, but each of the three services have senior military leads (SMLs) in each of the four nations of the UK. Their current role encompasses a series of representational and stakeholder engagement duties, mostly service related. + +__Recommendation__ + +- Since it is the services who are placing the requirements against which the DE&S and the Defence Infrastructure Organisation are delivering and designing the tendering process, there is value in industry having access to the SMLs, who could at least point them in the right directions in service headquarters and the DE&S. Additionally, local representative officers from the Royal Navy and the Army should establish familiarity with the progress and challenges of the FSS project and, in the case of the Army, with Thales’ missile capability. + +#### NI SMEs + +__Conclusion__ + +- Most firms interested in defence in NI are SMEs, which clearly have similar problems to similarly sized companies across the UK in seeking success in the defence sector. As discussed earlier, MoD attitudes to financial and technical risk, its required contracting terms and preference for time-consuming and costly formal competitive tendering are likely obstacles for many firms. However, the MoD’s own figures show that SMEs across the country are in receipt of more than 20% of government defence spending, whether directly through contracts from government or through primes, so the situation is far from hopeless. + +__Recommendation__ + +- MoD strategies for SME engagement overall are beyond the scope of this paper, but nonetheless it is suggested that the MoD keeps its practices under constant review. If it wants to better leverage the potential of SMEs for technology “pull through”, it must think more about what it needs to do to be an attractive customer. + +__Conclusion__ + +- In NI, the SME community stated that its difficulties associated with winning defence business for NI are partly linked to the location of the region and the costs of travel for small firms. + +__Recommendation__ + +- While NI firms must recognise that reaching out to customers is a necessary business expense, the MoD could endeavour to minimise the costs to aspiring suppliers. Possible steps could include holding industry briefing days in locations near a major airport or in Belfast, and starting such gatherings in the late morning, helping firms to avoid hotel costs. + +__Conclusion__ + +- The ADS director in NI discussed the number of NI SMEs involved in industry and stressed how the number had increased rapidly in recent years. Thus, there is a new situation in the province which could have been overlooked by UK authorities. The ADS team in NI are vocal and energetic promoters of the region’s SME potential, and ADS remains the leading trade organisation there. However, elsewhere in the UK, in England and Wales, the main body representing SMEs has emerged as Make UK Defence, within the wider manufacturing body Make UK. Historically, this came about because the aerospace and defence industrial bodies (ADS and before that the Society of British Aerospace Companies – SBAC) were considered to be dominated by the large primes. When the SBAC and the Defence Manufacturers Association merged to form ADS, there was a perceived need for a more SME-focused body, which is met in 2023 by Make UK Defence. These industrial bodies are collaborators, but also competitors for members. + +__Recommendation__ + +- Given that Make UK Defence is the prominent body for SMEs in England and Wales, and ADS has that role in NI, it would be sensible for them to work together to secure the best deals for SMEs across the UK. If two bodies do not send coherent and compatible messages, both are less likely to have an impact. + +#### Defence in NI + +__Conclusion__ + +- While NI hosts a plethora of innovative SMEs and micro-businesses, further support is needed to enable a cohesive regional defence and security sector to collaborate, overcome barriers to entry and help supply chains to compete and realise new technologies. The maritime and aerospace sectors, for instance, both prominent in NI, tend to operate in silos, leaving considerable space for further synergies between businesses operating in different sectors. + +__Recommendation__ + +- ADS and Make UK Defence should support the development of more and active clusters of SMEs in the region with defence interests. Such semi-formal groupings could focus on the three obvious defence sectors (aircraft, ships and munitions) but could also address the defence and wider security sector as a whole. In the UK, as observed earlier, the MoD has supported the advance of a defence-wide cluster for the southwest of England. An NI defence and security cluster could build on existing arrangements such as the NI Cyber Security Cluster and the Belfast Maritime Consortium, which could exploit the existence of well-established technology hubs such as the NIACE. + +- Such clusters work best when the member organisations have access to and can share awareness of the key problems facing potential customers. Given the proliferating interest in UASs, a cluster linking Spirit with information-focused SMEs in NI would have potential. Informational inputs from the MoD and the services would lubricate regional industrial thinking and initiative. + +__Conclusion__ + +- The military situation in Ukraine, the MoD’s readiness to react through private investment in H&W by issuing the FSS contract, Spirit’s enthusiasm to do more in the defence space and the growth in the number of SMEs joining ADS all point to a multi-faceted resurgence of interest in the defence sector in NI. The national political context is such that the UK government is concerned to capture the economic and social value attributes of defence spending and to see that all regions of the country benefit. + +__Recommendations__ + +- The MoD should have a specified target for an increased amount of defence work in NI. This is not to suggest that defence spending per head should rise to the levels in Scotland or even the national average, but that there should be a focused exploration of possibilities of raising it above the trivial amount at which it currently stands. This effort should involve initiatives from across the UK defence acquisition community in the MoD, the armed services, the various procurement bodies in governmental defence, especially the DE&S, Defence Digital, and the Defence Infrastructure Organisation, and the private sector. Such an effort would be highly compatible with the MoD’s levelling-up and prosperity agendas. + +- There is a need finally to consider the wider impact of an increased defence industrial effort in NI. While some nationalists might resent such direct support for UK military power, the authors’ conversations with local stakeholders suggest that change that brings well-paid and secure jobs, and that requires people to work with others regardless of their sectarian origin, would have an integrating and conciliatory impact on society. + + +### Annex: List of Participants + +This supporting annex lists the government and industry experts who contributed their insights to the research for this paper. Participants included representatives from the following organisations: + +- __ADS Northern Ireland__ – a trade organisation representing the aerospace, defence, security and space industries in the region. +- __Angoka__ – an Internet of Things security company, whose mission is to ensure the safety and resilience of Smart Cities and Smart Mobility by providing high-grade, quantum-secure solutions. +- __Cooneen Defence__ – a provider of clothing for military and police personnel across the world – combat, patrol and operational garments. +- __Harland & Wolff (Belfast)__ – shipbuilding company operating in the maritime and offshore industry. +- __House of Commons Defence Committee__. +- __Invest Northern Ireland__ – the economic development agency for Northern Ireland. +- __Kinsetsu__ – an SME providing intelligent tracking solutions. +- __Ministry of Defence__ – industrial strategy and exports. +- __Spirit AeroSystems UK__ – a large UK Tier 1 aerospace manufacturer. +- __Survitec__ – a manufacturer of personal survival equipment for the maritime, defence and government, aerospace and energy sectors. +- __Thales Air Defence Limited__ – a defence manufacturer producing short-range air defence missiles. + +--- + +__Isabella Antinozzi__ is a Research Analyst in the Defence, Industries and Society Research Group at RUSI. Her research interests include UK defence and security, post-Brexit UK-EU relations, the European security architecture and transatlantic cooperation. Prior to joining RUSI, she worked as a researcher at the European Council on Foreign Relations (ECFR) where she analysed the European Union’s (EU) defence and security policies, intra-European defence industrial cooperation as well as cooperation between the EU and third states in this field. + +__Trevor Taylor__ is Director of the Defence, Industries & Society Programme and Professorial Fellow in Defence management at RUSI where he has worked since 2009. He has more than 30 years’ experience of working with government and business in the defence and security area as an academic and consultant. In contrasting roles, he has been an assessor in the national research evaluation exercises, Chairman of the British International Studies Association, and an elected Council Member of the former Defence Manufacturers Association. He currently serves on the Advisory Board of Make UK Defence, an association particularly serving small & medium sized entities. diff --git a/_collections/_hkers/2023-06-13-how-ukraine-can-win.md b/_collections/_hkers/2023-06-13-how-ukraine-can-win.md new file mode 100644 index 00000000..223d5b1e --- /dev/null +++ b/_collections/_hkers/2023-06-13-how-ukraine-can-win.md @@ -0,0 +1,96 @@ +--- +layout: post +title : How Ukraine Can Win +author: Greg Mills +date : 2023-06-13 12:00:00 +0800 +image : https://i.imgur.com/wmYlqQw.jpg +#image_caption: "" +description: "David Fells Goliath, Then There’ll be Talks: How Ukraine Can Win" +excerpt_separator: +--- + +_Ukraine has outwardly changed through three stages following the Russian invasion on 24 February 2022: hanging on against the Russian onslaught, getting organised and better armed, and now – at the advent of the much-anticipated counteroffensive – confidently fighting back._ _It has proven resilient, innovative and adaptable, offering a model for enabling capacity through external cooperation. Russia, on the other hand, has shown that quantity – to use the old expression attributed to Stalin – does not have a quality all its own. While this war will end at the negotiating table, only the outcome of the military battle will get the two sides there, writes Greg Mills from Kyiv._ + +Deep in the Dorset countryside is a private UK company refurbishing 50-year-old Sea King helicopters for use by the Ukrainian defence forces. Some of these warbirds have seen service in the Falklands, Kosovo, Iraq and Afghanistan, though they have been given a complete overhaul before heading to the Ukrainian battlefield. There they are rendering sterling service, once more, in extracting the wounded and bringing in supplies. + +This programme is a good example of how old equipment can be repurposed at minimal cost. It’s an illustration, too, of how the training of pilots and engineers must parallel any equipment offer – one that has in this case been properly implemented. The procurement of more such Sea Kings in this way can only add considerably to Ukrainian capabilities. + +But the programme is also an illustration of the fact that the Ukrainians are getting only as much as donors are willing to provide, rather than what will meet their immediate needs. For comparatively little extra outlay, the Sea Kings could be fitted with stand-off Brimstone missiles, rather than go into combat zones unarmed. + +RUSI’s Nick Reynolds says that the performance of Kyiv’s armed forces to date shows that “it can win” with “consistent supply, standardisation, sufficient spare parts and maintenance and the type of equipment, including air defence and offence and electro-magnetic protection” that Ukraine needs. “We should not base our support of Ukraine on the basis of what we can give,” he says, “but rather what they need”, and nor “should we base our support for Ukraine on the result of each and every phase of this military campaign”. + +Whatever the downsides of integrating multiple equipment types and managing complicated logistics and training schedules for disparate types, Western equipment has been critical in turning the tide on the battlefield in Kyiv’s favour. And yet, the Ukrainians’ technical prowess has highlighted that, while equipment is necessary, without the required motivation and skills it is never going to be enough. Afghanistan serves as a painful reminder of this lesson. + +Here the Ukrainians have, if nothing else, demonstrated their capability and capacity for success against a foe superior in numbers and once regarded as a superpower. + +The manner in which older kit has been integrated with new systems and deployed is an illustration of how motivated the Ukrainian forces are to repel the Russian invasion, and to ensure that it never happens again. + +The most notable feature of this war has been the fighting ability of the Ukrainians, set against the poor performance of the Russian forces. + +The Russian forces have been depleted by heavy losses. Many have been in combat for more than a year. They are not especially well-disciplined or particularly well-led; are badly equipped in key areas such as communications; and are dependent on a strictly hierarchical command-and-control structure, consequently absent the type of small unit cohesion necessary to instil fighting confidence and ability – especially under the sort of military pressure which they are about to experience. + +The surge in Ukrainian capacity is not just about Western equipment, but how Kyiv’s forces have deployed it, added to it, displayed initiative (and allowed their tactical-level commanders to do so), and trained hard. + +While the Ukrainians have been short of certain equipment, including modern aircraft capable of challenging fifth-generation Russian fighters and bombers like the Sukhoi Su-34 and 35, the way in which the Ukrainians have adapted civilian technologies, including meshing AI with intelligence, has given them an edge. + +But in other respects, it’s a war that looks similar to the trench combat of the First World War; the great rolling plains of Ukraine are perfect tank territory too. + +___`Without certain weapon types supplied by the West, it will be hard to push the Russians out of Ukraine altogether`___ + +The delivery of newer Western tanks such as the M1 Abrams, the Leopard II and the UK’s Challenger will make a difference, as has the deployment of long-range HIMARS and Storm Shadow missile systems capable of striking deep-set Russian supply and command-and-control bases. So too has the use of Western 155mm artillery, more sophisticated and accurate than the Soviet-era equipment previously employed by Kyiv. + +The usefulness of this support depends on the steady supply of Western ammunition and equipment, which might not continue in certain circumstances. One threat is political – especially the US appetite for continuing support for the Ukrainian cause, which can be relied upon only so long as the Democrats remain in the White House. + +Another threat lies in the incremental assistance the West has so far preferred to supply to Ukraine, presumably out of fear that Kyiv will become too powerful and risk a radical response from Moscow or a change in tack from Beijing “if Putin was cornered and humiliated”, as suggested by Gregory Nemyrin, the deputy chair of the foreign relations committee in the Ukrainian parliament. + +This fear of catastrophic success is apparently founded on a belief that a cornered Putin could be very dangerous. After all, there are no prizes for second place in Russian politics. + +Without certain weapon types, it will be hard to push the Russians out of Ukraine altogether. While the Russians have proven comparatively hapless on the battlefield, it is unrealistic – and possibly foolhardy – to expect or risk their complete disintegration. It is certainly, however, a measure of the disorganisation and destruction of Russian forces that Kyiv will have to achieve to end the conflict. While the Ukrainians are short of certain weapon types, they only have to be better than the Russians – and that looks likely. + +Kyiv’s aim for its much-anticipated offensive is for Ukraine to arrive at the negotiating table in a position of strength. After all, this table is where “every war ends”, says Ukrainian Foreign Minister Dmytro Kuleba, “and our task is to bring Ukraine to the table in the strongest position possible”. + +The sheer rate of consumption of shells in the conflict – at peak, according to Western military estimates, amounting to 20,000 daily by the Russians – represents a further threat. Given that the largest facility worldwide, in Scranton produces 11,000 per month (though there are plans to increase this to 85,000 by 2028), there is a looming deficit in NATO stocks. Already, the US has given Ukraine “more than 1.5 million rounds of 155mm ammunition” as part of Washington’s $38 billion in military assistance. + +A final threat lies in the continued ability of the Ukrainians to win on the battlefield, without which Western fatigue might set in – a trait that could be compounded by any failure on Kyiv’s part to develop a narrative beyond victimhood. Everyone loves a winner, not a whinger, and war is no different. + +The narrative battle is ongoing, demanding considerable dedication of resources. Contending with the Russian version of the war – given Moscow’s comparative strengths of resources and news outlets including RT and Sputnik – is challenging. This demands countering disinformation, on which a Ukrainian government unit works full-time, and promoting a positive image of Ukraine based – says Myhailo Podoliak, the head of the presidential office – on “its internal core strength, its rapid transformation, sincerity, and its ability to understand and manage complexity”. In this, he notes, “leadership allows us to have a global role and to be the subject”. + +So far, the Ukrainians continue to surprise and are alert to these challenges. Their ingenuity can also be seen in the refurbishment of vehicles left behind on the battlefield by the Russians. Around the eastern city of Kharkiv, for example, according to Ukrainian sources, the Russians abandoned nearly 400 armoured vehicles – now known, in Ukrainian humour and in reference to the US Second World War programme, as “Russian lend-lease”. + +Industriousness is present in other ways. The mayor of Kharkiv, Ihor Terekhov, notes that some 4,000 homes in the city – Ukraine’s second largest, which lies just 30 km from the Russian border – were destroyed in the early days of the war. This has mostly been cleaned up, though the city remains under artillery and missile fire and many of its shops and offices are boarded up. + +The same is true for the areas around Kyiv, notably in the suburbs of Bucha, Irpin and Borodynka. Today they are all being rebuilt, even though the bitter memories will remain – not least the massacre of 458 civilians in Bucha, later buried in a pit behind the back of the local Orthodox church. + +___`From a Ukrainian perspective, the war has to be finished quickly, before Russia manages to get its industry behind its war effort`___ + +The eastern city of Izyum, too, has been scarred by the deaths of an estimated one thousand civilians out of an original pre-war population of 45,000. The city was liberated on 14 September. After liberation, according to the Izyum authorities, a mass grave of 440 bodies was found in the woods to the north of the town, while an estimated 80% of housing was destroyed. + +Today, much of the town has been cleaned up. The secretary of the local municipality, Constantine Petrov, says a “horrible picture” greeted his team when they returned after the Russian retreat on 14 September. “Only a few houses on the outskirts had gas, and no-one had electricity”. We chatted in the only municipal building left standing, new windows fitted where the old ones had been blown out by the constant shellfire which characterised the fortnight-long struggle for the town in February–March last year. + +Similar conditions were created in Kharkiv. The governor of the Kharkiv region, Dr Oleh Synyehubov, counts the cost at 30,000 damaged and destroyed buildings, including 8,500 private households, 4,000 multi-story complexes, 800 educational establishments, 300 hospitals and clinics, and 100 government buildings. He puts the number of dead at some 2,000 civilians, including 75 children. Dr Synyehubov estimates the cost of destruction at around $15 billion “so far”, since there are more than 20 towns in his oblast which continue to be shelled on a daily basis. He praises international benefactors who have come forward to assist, singling out Howard Buffet, who donated DNA kits to enable the identification of victims and has “rebuilt 15 bridges”. He acknowledges, however, than salvation will come from inside, stating that “peace will only come about through a strong Ukraine and a strong military”. He adds: “We have to count on our own strength, not that of international agreements”. + +It’s tempting to be fascinated by the impact of hi-tech weaponry on the battlefield, including Russian hypersonic Kinzhal (or “danger”) missiles capable of striking targets at Mach 10, and the widespread use of Iranian Shahed drones (known locally as “scooters” due to the noise they make) as a terror weapon. The police station in Izyum was hit with one such drone two days before we visited, putting the officers a bit on edge. + +For military strategists, this war raises questions about how future armies might be structured and equipped. It stresses training, equipment, intelligence and the ability to quickly scale up in partnership with others. It also poses tough questions about the performance of the West in deterring Russia before the conflict, thus potentially avoiding it altogether. The West’s abject performance in Afghanistan would have led the Russians to believe it was weak. Deterrence was further undermined by President Joe Biden’s statement before the war that putting US troops on the ground in Ukraine was “not on the table”. By removing this card, and by not saying clearly that the US would supply Ukraine with modern equipment – as it has subsequently done – deterrence was undermined. + +The more things change, the more they stay the same. Wars are won by stamina, skill, logistics and leadership. Ukraine has these in spades, alongside its moral advantage: it is the victim of Russian aggression, the David delivering hammer blows to the Russian Goliath. + +The Ukrainians have excelled at organisation. The first days of the war were characterised by the chaos of refugee movements, as more than five million Ukrainian women and children fled westwards, many to camps and homes elsewhere in Central and Western Europe. There were fuel and other shortages in the first few months, but the Ukrainians quickly got organised. Visiting today – approaching 500 days into the war – Ukrainians are going about their lives despite daily Russian terror attacks on the country’s urban centres. Cities are notable for the number of men now in uniform. + +Kharkiv, for instance, which had been reduced to 500,000 people from its pre-war population of two million, is now back to the one million mark, according to Colonel Yevhen Vasylenko of Kharkiv’s Rescue and Emergency Services. The roads to the south – leading towards Izyum and other towns – are open, though the heavy security presence reminds one of the dangers. Electricity was restored in Izyum a week after the Russian withdrawal, while heating has been restored to more than 90 apartment blocks. + +Already, the authorities are rapidly pursuing a stabilisation, normalisation and reconstruction agenda. In the Kharkiv oblast alone, 69,000 mines have been lifted, roads are being repaired and electricity is being restored. + +The counteroffensive will be won – or lost – by the ability to achieve what military strategists describe as the “combined arms effect”. This type of battle involves the close integration of artillery, air defence and offence, and well-drilled and mobile ground forces. The Ukrainians now possess the surface-to-air missile cover to keep Russian aircraft and helicopters at bay, the ability to jam crude Russian comms, offensive drone (and some jet) capability, and – with the delivery of Storm Shadow and HIMARS, among other systems – the guided missile technology to force Russian headquarters and supply dumps far to the rear. In addition, they have proven short- and longer-range foreign and local anti-tank weapons; sophisticated heavy tanks including the Leopard, Abrams and Challenger; as well as Western infantry fighting vehicles. This approach also requires the integration of engineer units to clear obstacles, including the multi-layered minefields dug by the Russians. And then the organisation has to keep the offensive going, maintaining supply lines and operational tempo – something the Russians proved incapable of doing, in part because they chose February to invade and their convoys were strung out on paved roads, becoming easy prey for Ukrainian anti-tank units and drones. + +As David Petraeus, the retired US general, has put it, such a combined operation is “very complex … it’s a bit like a symphony. You have to have all of the different pieces play their part”. He believes the Ukrainians now have this capability. + +Whatever happens, from a Ukrainian perspective, the war has to be finished quickly, before Russia manages to get its industry behind its war effort. Russia has so far done an exceptional job of shoring up its economy, even though it has taken a hammering from Western sanctions. It seems now to be gearing itself up for a long war – although Putin will have to explain why even greater numbers of Russian boys are dying in this war, when the Ukrainians were supposed to have greeted them as liberators. Ukrainian estimates have the number of Russian dead at over 210,000; Western estimates suggest the overall number of casualties, including wounded, is around that number. Bakhmut alone cost the Wagner Group 17,000 dead, and perhaps as many as five times that number wounded. + +Those thinking of making peace in this neighbourhood will not only have to think of questions of international law, sovereignty, human rights, and moral legitimacy in seeking compromise, but also about putting in place the conditions that will prevent a return to conflict. As Karina, who spent the six months of Russian occupation in hiding in Izyum and who now runs a small restaurant in the town with her friend, pleads: “I just want peace, and silence”. + +How the war ends will, critically, shape the manner of the peace. + +--- + +__Greg Mills__ heads the Johannesburg-based Brenthurst Foundation, established in 2005 by the Oppenheimer family to strengthen African economic performance. With Brenthurst, Greg has directed numerous reform projects with African heads of government, and almost continuously at various levels of government in South Africa from the Foundation’s outset. diff --git a/_collections/_hkers/2023-06-21-surveillance-for-sale.md b/_collections/_hkers/2023-06-21-surveillance-for-sale.md new file mode 100644 index 00000000..dc0867d0 --- /dev/null +++ b/_collections/_hkers/2023-06-21-surveillance-for-sale.md @@ -0,0 +1,358 @@ +--- +layout: post +title : Surveillance For Sale +author: Caitlin Chin +date : 2023-06-21 12:00:00 +0800 +image : https://i.imgur.com/si2Gtvi.jpg +#image_caption: "" +description: "The Underregulated Relationship between U.S. Data Brokers and Domestic and Foreign Government Agencies" +excerpt_separator: +--- + +_U.S. and foreign government agencies can acquire sensitive personal information, like smartphone geolocation records, from data brokers. Stricter privacy protections are necessary to strengthen U.S. national security, human rights, and economic interests._ + + + +### Introduction + +Ten years ago, when whistleblower Edward Snowden revealed that U.S. government agencies had intercepted bulk telephone and internet communications from numerous individuals around the world, President Barack Obama acknowledged a long-standing yet unsettled dilemma: “You can’t have 100 percent security and also then have 100 percent privacy and zero inconvenience. . . . There are trade-offs involved.” + +Snowden’s disclosures reignited robust debates over the appropriate balance between an individual’s right to privacy and the state’s interest in protecting economic and national security — in particular, where to place limitations on the U.S. government’s ability to compel access to signals intelligence held by private companies. These debates continue today, but the internet landscape — and subsequently, the relationship between the U.S. government and private sector — has evolved substantially since 2013. U.S. government agencies still routinely mandate private companies like Verizon and Google hand over customers’ personal information and issue nondisclosure orders to prevent these companies from informing individuals about such access. But the volume and technical complexity of the data ecosystem have exploded over the past decade, spurred by the rising ubiquity of algorithmic profiling in the U.S. private sector. As a result, U.S. government agencies have increasingly turned to “voluntary” mechanisms to access data from private companies, such as purchasing smartphone geolocation history from third-party data brokers and deriving insights from publicly available social media posts, without the formal use of a warrant, subpoena, or court order. + +In June 2023, the Office of the Director of National Intelligence (ODNI) declassified a report from January 2022 — one of the first public efforts to examine the “large amount” of commercially available information that federal national security agencies purchase. In this report, ODNI recognizes that sensitive personal information both “clearly provides intelligence value” but also increases the risk of harmful outcomes like blackmail or harassment. Despite the potential for abuse, the declassified report reveals that some intelligence community elements have not established proper privacy and civil liberties guardrails for commercially acquired information and that even ODNI lacks awareness of the full scope of data brokerage contracts across its 18 units. Critically, the report recognizes that modern advancements in data collection have outpaced existing legal safeguards: “Today’s CAI [commercially available information] is more revealing, available on more people (in bulk), less possible to avoid, and less well understood than traditional PAI [publicly available information].” + +The ODNI report demonstrates how the traditional view of the privacy-security trade-off is becoming increasingly nuanced, especially as gaps in outdated federal law around data collection and transfers expand the number of actors and risk vectors involved. National Security Adviser Jake Sullivan recently noted that there are also geopolitical implications to consider: “Our strategic competitors see big data as a strategic asset.” When Congress banned the popular mobile app TikTok on government devices in the 2023 National Defense Authorization Act (NDAA), it cited fears that the Chinese Communist Party (CCP) could use the video-hosting app to spy on Americans. However, the NDAA did not address how numerous other smartphone apps, beyond TikTok, share personal information with data brokers — which, in turn, could transfer it to adversarial entities. In 2013, over 250,000 website privacy policies acknowledged sharing data with other companies; since then, this number inevitably has increased. In a digitized society, unchecked data collection has become a vulnerability for U.S. national security — not merely, as some once viewed, a strength. + +The reinvigorated focus on TikTok’s data collection practices creates a certain paradox. While politicians have expressed concerns about Chinese government surveillance through mobile apps, U.S. government agencies have purchased access to smartphone geolocation data and social media images related to millions of Americans from data brokers without a warrant. The U.S. government has simultaneously treated TikTok as a national security risk and a handy source of information, reportedly issuing the app over 1,500 legal requests for data in 2021 alone. It is also important to note that national security is not the only value that can come into tension with information privacy, as unfettered data collection carries broader implications for civil rights, algorithmic fairness, free expression, and international commerce, affecting individuals both within and outside the United States. + +___`The ODNI report demonstrates how the traditional view of the privacy-security trade-off is becoming increasingly nuanced, especially as gaps in federal law around data collection and transfers expand the number of actors and risk vectors involved.`___ + +Technological advancements warrant a reexamination of the traditional privacy-security trade-off — one that prioritizes forward-looking guardrails around emerging trends in data analytics, particularly the rising ubiquity of commercially available information. This report attempts to bridge these gaps by analyzing the relationship between the U.S. data brokerage industry and domestic and foreign government agencies. It first explains how private companies have built up massive troves of personal information, which data brokers aggregate and sell to both public and private sector entities without proper safeguards to protect privacy and civil liberties. Then it analyzes U.S. privacy developments alongside those in the European Union, Canada, and China, illustrating how even governments that have recently modernized their data protection frameworks still have not fully addressed voluntary access to private sector data. Ultimately, it illustrates how stricter U.S. data privacy regulations in the private and public sectors will strengthen the national security, human rights, and economic interests of the United States rather than hobble its geopolitical competitive position. + + +### Background + +_How Data Brokers Operate_ + +Over the past decade, popular consumer-facing devices, websites, and apps have built up increasingly sophisticated surveillance capabilities due to several trends. For one, data storage has become more affordable, creating incentives for companies to retain data even when it is no longer needed for the purpose for which it was originally collected. In addition, widespread deployment of predictive algorithms across all sectors has generated high demand for personal information. As a result, numerous digital platforms now operate their business models around sharing detailed user information with advertisers, private corporations, individuals, or government agencies — often through third-party intermediaries known as data brokers. + +Data brokers operate in many forms, but they generally profit from aggregating, packaging, and transferring the personal information of large numbers of individuals. Many of these companies compile nonpublic information such as smartphone geolocation, internet history, communication metadata, utilities, and biometrics, which they obtain from sources like mobile apps and web browsers using software development kits, cookies, real-time bidding processes, and direct purchases. Some also scrape publicly available information like social media posts, audio and visual footage taken in outdoor areas, or government archives like Department of Motor Vehicles records, voter registrations, tax or property filings, or arrest histories. Data brokers may also obtain information from other data brokers or even purchase mobile apps in order to acquire datasets, creating an intricate, nontransparent web that affected individuals and the general public cannot follow. + +According to Sensor Tower, the average American interacts with almost 50 mobile apps per device per month, many of which track intimate details such as a person’s location history, communications records, purchases, web or browsing activity, and biometrics. When data brokers combine such information from multiple first-party sources, they can paint an extensive picture of a person’s lifestyle habits and preferences. A 6(b) study by the Federal Trade Commission (FTC) in 2014 found that Acxiom had over 3,000 data points for almost all U.S. individuals, and since then the information ecosystem has only grown. The same 6(b) study also found that some of the nine large data brokers surveyed “store all data indefinitely, even if it is later updated, unless otherwise prohibited by contract.” + +___`Widespread deployment of predictive algorithms across all sectors has generated high demand for personal information.`___ + +There is no single legal definition of a data broker in the United States, which presents a challenge to regulating their interactions with government agencies. In 2014, the FTC described data brokers as “companies that collect consumers’ personal information and resell or share that information with others.” This definition broadly encompasses both first- and third-party companies, as well as those that transfer data without a monetary transaction. California requires any business that “knowingly collects and sells to third parties the personal information of a consumer with whom the business [it] does not have a direct relationship” to register with the state attorney general. As of November 2022, 515 companies had done so. The American Data Privacy and Protection Act (ADPPA) generally defines third-party collecting entities as those “whose principal source of revenue is derived from processing or transferring the covered data that the covered entity did not collect directly from the individuals.” This report primarily analyzes third-party data brokers who lack direct relationships with individuals linked to datasets and fall within the ADPPA’s definition. + +While some data brokers sell datasets in aggregate form, deidentification does not guarantee individuals’ privacy or safety. It is possible to reidentify specific individuals by combining multiple attributes or tracking location data points over an extended period. In 2013, Harvard University professor Latanya Sweeney reidentified over 40 percent of 1,000 “anonymous” individuals who shared DNA for the Personal Genome Project by combining their information with public records like voter registration. Tufts University professor Susan Landau recently testified that often only four data points are required to reidentify specific individuals. In a 2022 letter, a trio of senators expressed concerns that BetterHelp and Talkspace had shared sensitive mental health information that could readily reidentify individuals: “Even though you claim this data is anonymized, it can still provide third parties with important and identifying information.” One broker, Fog Data Science, claims it does not collect names or email addresses but sells the long-term geolocation history of smartphone devices, which can infer where somebody lives or sleeps based on their movement patterns. Furthermore, even aggregated location patterns can help law enforcement officers locate abortion facilities with high levels of activity or detect routes along the U.S.-Mexico border with unusual traffic. + +Data brokers may also build and license algorithmic models to infer or predict information from otherwise unconnected data points, such as health, finances, race, religion, gender identity, sexual orientation, familial status, and more. Without federal regulations, Americans have little control over how data brokers handle their personal information, particularly since first-party businesses typically do not disclose the identities of the third parties with whom they share such information or how algorithmic inferences can inform decisions that could significantly affect people’s lives. + +> #### `Examples of U.S. data brokers` + +- `LexisNexis has reportedly compiled over 78 billion data points from 10,000 public and private sources in 442 lifestyle categories that predict individual health risks and subsequent medical costs. While the company stated in 2018 that its analysis had not yet influenced individual insurance costs, there is no guarantee this will not happen in the future.` + +- `As of 2014, an Equifax subsidiary had reportedly aggregated and sold access to employee pay stub information for approximately 38 percent of the U.S. workforce.` + + - `Datalogix compiles and sells personal shopping history from over 1,400 store loyalty programs.` + + - `LexisNexis had reportedly scraped over 37 billion data points from 10,000 different government sources as of 2021, including criminal and property records. Meanwhile, Spokeo, Intelius, and BeenVerified, also known as people search websites, sell access to personal information scraped from public records to anybody on the internet, typically for a low fee.` + + - `SafeGraph, Venntel, X-Mode, and Babel Street purchase geolocation and other personal information from smartphone apps, advertising exchanges, and other data brokers, which they then sell to other companies, individuals, or government agencies. In recent years, U.S. agencies including the Federal Bureau of Investigation (FBI), Department of Homeland Security (DHS), and Defense Intelligence Agency (DIA) have purchased U.S. smartphone geolocation information from data brokers without a warrant.` + + - `Clearview AI has reportedly scraped billions of images from publicly available websites, including social media platforms. Using facial recognition technologies, it matches specific individuals to uploaded photos. It licenses access to this extensive database to over 3,000 federal and state entities, including the Central Intelligence Agency (CIA) and FBI.` + + - `Giant Oak, Palantir, and Barbaricum monitor social media platforms in aggregate, allowing customers to search billions of user-generated posts for keywords or images. The DHS has reportedly contracted private vendors to track open-source social media posts to identify individuals within the United States that could be associated with visa overstays, public safety risks, or national security threats. Starting in March 2020, Barbaricum, in partnership with Palantir, received a $2.1–$5.5 million contract to track real-time social media activity, which could include content that users later delete, from Immigration and Customs Enforcement (ICE).` + + - `Vigilant Solutions and Thomson Reuters have monitored and stored the image, location, and time stamp history of billions of license plates in open-air parking lots, highways, and intersections, effectively providing a warrantless means of tracking individuals’ locations for thousands of U.S. law enforcement agencies. Between 2017 and 2021, the DHS awarded $7.4 million to West Publishing Corporation, owned by Thomson Reuters, to access its license plate recognition database.` + + - `Fog Data Science has advertised collecting billions of data signals from mobile apps, revealing “near real-time” location histories from over 250 million U.S. devices dating back to 2017. It has sold access to this information to federal, state, and local law enforcement agencies for under $10,000 annually, sometimes offering free trials.` + + +### Privacy Concerns from Domestic Government Relationships with U.S. Data Brokers + +By design, third-party data brokers pose risks to a person’s privacy. Among other practices, the industry infers intimate details about a person’s life from a myriad of data points, processes personal information for secondary purposes outside the scope of the initial interaction, and multiplies the number of parties that access a dataset throughout its life cycle. For instance, ProPublica reports that data brokers have helped health insurers predict physical and mental health conditions by analyzing disparate data points such as education, age, race, marital status, neighborhood, and recent purchases. In addition, Duke University researcher Joanne Kim found that several U.S. data brokers may have access to contact information that can identify individual users of mobile mental health apps. + +As a result, privacy violations by the U.S. data brokerage industry can cause both measurable and immeasurable consequences for Americans, including psychological, emotional, reputational, financial, and physical harm. For example, data brokers have targeted predatory advertisements related to debt or financial scams to individuals whom they have algorithmically profiled as financially vulnerable. In 2016, LeapLab settled with the FTC after selling payday loan applications to marketers who then stole money from bank accounts. Data brokers can also reveal details such as sexual orientation without individuals’ consent, placing LGBTQ+ individuals at disproportionate risk of doxing or discrimination. In 2021, a senior official of the U.S. Conference of Catholic Bishops resigned after being involuntarily outed by a religious publication that had purchased his Grindr location information from a data broker. Data brokers can even enable stalking or physical violence. In 2020, a gunman shot a federal judge’s husband and son after purchasing her home address and other personal information online. + +When third-party data brokers share personal attributes with U.S. government agencies, they may influence significant societal decisions, such as imprisonment, deportation, distribution of public benefits, and more. Since 2014, ICE has regularly contracted Palantir to mine personal information from public and private databases, reportedly facilitating deportations, workplace raids, and family separation. In 2019, ICE — aided by Palantir systems — arrested 680 workers at a food processing company in Mississippi, leaving at least two children at home unaccompanied for over a week after their parents were detained. In 2021, LexisNexis received a contract worth up to $1.2 billion to verify individuals’ identities for state unemployment insurance claims, a critical lifeline for many Americans. The same year, researchers at the Center for Democracy and Technology uncovered an additional 30 U.S. federal government awards for data brokerage services that totaled approximately $86 million, likely a fraction of the full scope of government contracts that data brokers received. + +As U.S. government agencies become increasingly dependent on the private sector, some analysts point out that data brokers can offer material benefits. For example, the Centers for Medicare and Medicaid Services, Department of Labor, Internal Revenue Service, and Department of Veterans Affairs have used aggregated data points to predict fraudulent or erroneous payments. However, the same datasets used for beneficial purposes can also lead to secondary, more controversial outcomes. For example, Thomson Reuters offers a CLEAR database that contains home addresses, vehicle registrations, employment histories, and utility records from at least 400 million individuals. Although the company markets this database to provide alternative credit histories for people who lack access to traditional credit cards, ICE also reportedly used this service until 2021 to help enforce deportations of individuals who do not pose physical security threats. In fact, data brokers can serve a variety of functions for both public and private organizations, potentially informing decisions related to employment, credit or risk scores, health insurance, public interest research, political outreach, and policing. + +Regardless of the purpose behind the surveillance effort, there is at least some ethical ambiguity with any contract that U.S. government agencies sign with data brokers. First of all, U.S. government contracts feed into the rapid growth of an industry that faces minimal legal limitations on collecting, processing, storing, and sharing data. Second, algorithms based on personal attributes sometimes draw inaccurate conclusions that can significantly affect people’s lives. Between 2008 and 2019, ICE relied on faulty databases, compiled with the assistance of private data brokers, to arrest approximately two million individuals based on their country of birth and lack of verified citizenship documents — a practice a federal judge found unconstitutional in Gonzalez v. ICE (2019). Due to overreliance on flawed electronic databases, law enforcement officers have mistakenly targeted individuals such as Renata and Chris Simmons, whose dog police officers shot, and Denise Green, whom officers wrongly held at gunpoint. In many cases, individuals do not have the option to view these databases or request that data brokers correct inaccurate profiles. + +___`U.S. government contracts feed into the rapid growth of an industry that faces minimal legal limitations on collecting, processing, storing, and sharing data.`___ + +When data brokers collaborate with law enforcement agencies to implement predictive policing, they could produce inaccurate or flawed outcomes based on historically biased training data. At the local level, some police departments have used modeling systems designed by firms like PredPol to anticipate crime based on historical patterns and adjust their patrol routes accordingly. In addition, data brokers have sold Americans’ personal information to state-run fusion centers, which hire analytics firms like Palantir to scan past data for future threats. But since local governments have historically focused surveillance resources on neighborhoods based on factors like race, income, and religion, predictive modeling systems draw upon and reproduce these biases in future cycles. At the federal level, the DHS’s use of social media analysis to predict threats is notoriously defective, since it frequently uses vague keywords as proxies for illegal activity and may fail to identify context clues, cultural differences in speech, and satire. + +The data brokerage industry is shadowy and opaque, as companies rarely disclose details of their data collection and analysis to external parties. This lack of transparency prevents government agencies and other customers from discovering potential biases in these technologies, even when they lead to erroneous criminal arrests. Trade secret protections further complicate access to exculpatory evidence that could prove an individual’s innocence if inaccurate datasets or algorithms are used. Although data brokers may post vague privacy policies on their websites, they generally do not disclose the specific entities they access information from, clients they share information with, methods of building algorithmic inferences, and types of data that are stored or shared. In other words, there are few ways for impacted individuals, public interest researchers, or the general public to learn about the sale of personal information or to correct any subsequent predictive profiling. + +___`Since local governments have historically focused surveillance resources on neighborhoods based on factors like race, income, and religion, predictive modeling systems draw upon and reproduce these biases in future cycles.`___ + +Aside from accuracy concerns, data brokers can also perpetuate systemic biases in law enforcement by directly targeting personal attributes like race, ethnicity, country of origin, religion, and income. For example, X-Mode and Predicio have reportedly sold information from smartphone apps like Muslim Pro and Salaat First to Department of Defense (DOD) contractors. Kochava, which is facing an FTC lawsuit, sold location information that could be used to track people who visit places of worship, reproductive health facilities, addiction recovery centers, and homeless shelters. In mid-2020, Mobilewalla reportedly monitored the device geolocation history of approximately 17,000 individuals at Black Lives Matter demonstrations, and the Los Angeles Police Department tested ABTShield to scan Twitter for keywords like “lives matter,” “protest,” and “solidarity.” In 2018, the DOJ initiated an investigation into the Oregon TITAN Fusion Center for tracking local residents who had posted #BlackLivesMatter on social media platforms. Furthermore, Venntel has sold smartphone geolocation data to ICE and U.S. Customs and Border Protection to track individuals along the U.S.-Mexico border, which increases the vulnerability of immigrants and noncitizens. + + +### National Security Concerns about Foreign Government Access to the U.S. Data Brokerage Ecosystem + +In the United States, most private companies, including data brokers, face few constraints on transferring or storing personal information outside the country. As a result, foreign governments can easily obtain sensitive personal information about Americans through data brokers, whether through direct transactions or third-party intermediaries like front companies. However, due to a general lack of transparency, it is difficult to measure the degree to which U.S. data brokers currently work with foreign governments, including China or Russia. + +In 2020, William Evanina, then director of the U.S. National Counterintelligence and Security Center, stated that China is “one of the leading collectors of bulk personal data around the globe, using both illegal and legal means.” Between 2020 and 2021, the Washington Post documented over 300 relationships between China and Chinese-based private data miners to cross-analyze social media posts, public records, and commercial datasets. These included detailed profiles of domestic and foreign journalists and critics, some of whom were located in the United States, that were accessible to China’s Propaganda Department, state media, law enforcement, and military. In 2018, China’s state-controlled People’s Daily reported the government’s public opinion data mining industry was worth tens of billions of yuan and rapidly expanding by 50 percent each year. + +Although foreign governments, like China, do not have legal jurisdiction over most Americans, they could still benefit from the ubiquitous digital surveillance U.S. data brokers offer. For example, foreign entities could purchase sensitive geolocation information to target specific high-profile individuals like politicians or journalists. Demonstrating the ease of smartphone tracking, the New York Times obtained over 50 billion anonymized smartphone geolocation points from 2016 to 2017 and almost instantaneously identified former U.S. president Donald Trump, Secret Service agents, senior congressional staffers, and DOD officials. In addition to geolocation, commercial data sales related to physical or mental health, personal relationships, or finances could increase the vulnerability of high-profile Americans to blackmail or doxing by foreign and domestic bad actors. + +Foreign governments gaining direct access to Americans’ personal information or algorithmic inferences through U.S. data brokers could compromise military or intelligence operations. In 2016, PlanetRisk inadvertently detected U.S. military operations in Syria by tracking soldiers’ smartphone geolocation data. In December 2017, Strava unveiled a publicly available heat map that displayed over 1.4 trillion latitude and longitude points of individuals wearing fitness trackers, possibly implicating those in military bases in Afghanistan, Syria, Niger, Djibouti, Yemen, and Turkey. As recently as 2021, Acxiom, LexisNexis, and Nielsen actively advertised selling or sharing information related to military officers. Even China cautioned its People’s Liberation Army personnel in 2015 about the data protection risks of “device[s] that can record high-definition audio and video, take photos, and process and transmit data” — in other words, most popular consumer products today. + +Advanced data analysis could also help foreign actors strategically promote authoritarian or otherwise harmful messaging during U.S. elections based on voters’ interests and backgrounds. During the 2016 U.S. presidential election, the Russia-linked Internet Research Agency (IRA) purchased about 3,000 political advertisements and uploaded 80,000 posts on Facebook using stolen U.S. identities, reaching tens of millions of U.S. users. The IRA disproportionately targeted Black voters with both paid advertisements and unpaid content to discourage turnout; many of its user-generated posts mentioned race in some form. A subsequent investigation by the Senate Select Committee on Intelligence, led by Robert Mueller, found the threat posed by ad targeting “is magnified by the ease with which personal data can be purchased or stolen by a foreign adversary with advanced cyber capabilities.” + +Seven years after the 2016 election cycle, commercial data brokers routinely sell Americans’ personal information to U.S. political campaigns, leaving the infrastructure in place for foreign governments to potentially influence domestic elections using the same tools. Both Democratic and Republican campaigns use U.S. data brokers like Experian to purchase datasets on income, religion, gun ownership, credit score, and voter registration in order to direct relevant online advertisements, paper pamphlets, and phone calls to voters. The Republican National Committee reportedly possesses over 3,000 data points per U.S. voting adult. These tactics resemble those used by the controversial UK-based firm Cambridge Analytica, which amassed personal information from over 50 million Facebook users to target advertisements and fundraising requests for Trump’s 2016 presidential campaign. The widespread availability of these datasets, combined with common data brokerage practices of categorizing individuals based on inferred background or interests, could facilitate foreign government targeting of disinformation in future democratic elections. + +The vast quantity and scope of information that data brokers store also enlarge the attack surface for state-sponsored cyber breaches, especially since not all companies employ adequate security protections. After the Chinese government hacked Equifax in 2017, exposing sensitive information of approximately 147 million Americans, the FTC discovered Equifax had failed to implement basic security measures such as encryption and strong passwords. In 2019, hackers offered up LimeLeads’ non-password-protected database for sale online, exposing names, email addresses, and home addresses from 49 million customers. Other major data broker breaches include Acxiom in 2003, Epsilon in 2011, and Experian in 2015, highlighting how U.S. personal information is of high interest to both domestic and foreign hackers. In 2005, a Senate hearing warned that massive aggregation and storage of sensitive personal details could create opportunities for identity theft. Since then, data collection has only escalated. + +___`Seven years after the 2016 election cycle, commercial data brokers routinely sell Americans’ personal information to U.S. political campaigns, leaving the infrastructure in place for foreign governments to potentially influence domestic elections using the same tools.`___ + +Adam Klein, director of the Robert Strauss Center on International Security and Law of the University of Texas at Austin, notes, “As long as this [the data broker] business model persists, it will remain virtually impossible to prevent this information — and the intelligence bounty that it represents — from falling into the hands of hostile foreign powers.” Although foreign governments may access information through many channels, the growing data brokerage industry both expands and expedites authoritarian surveillance and censorship efforts to a larger scale. This highlights the importance of modernizing privacy laws to curb extraneous data collection and mitigate risks to privacy, civil rights, and national security across the ecosystem. + + +### Current U.S. Privacy Laws Fail to Check U.S. Data Broker Partnerships with Government Agencies + +#### The U.S. Federal and State Commercial Privacy Landscape + +The United States has dozens of federal and state statutes that address how private businesses protect personal information, but they have not undergone significant updates in decades and have fallen behind technological advancements. Many U.S. commercial data protection laws cover only specific sectors and types of companies, which leaves certain underregulated entities — data brokers, digital platforms, and mobile apps — free to process, share, and store an extensive range of sensitive personal information. + +For example, the federal Health Insurance Portability and Accountability Act (HIPAA) of 1996 generally requires medical providers and health insurers to obtain affirmative express consent before sharing personal health information, but does not apply to data brokers, which can transfer mental or reproductive health data at will. Similarly, the Family Educational Rights and Privacy Act (FERPA) of 1974 requires U.S. schools to follow certain privacy safeguards to protect their students, but does not prevent schools from using data brokers to target recruitment advertisements to individuals who are not enrolled. Most federal laws do not directly address geolocation tracking and sharing, except for the Children’s Online Privacy Protection Act (COPPA) of 1998 which requires companies to obtain parental consent before collecting personal information from minors under 13. + +Only eight states — California, Utah, Virginia, Colorado, Connecticut, Iowa, Indiana, and Tennessee — have enacted laws that allow residents the right to access, correct, and delete the personal information that private companies, including data brokers, hold. These states also require first-party companies that share information with third parties to impose contractual privacy obligations and mandate various degrees of data minimization. However, most U.S. states have not yet enacted comprehensive privacy laws, and the laws that exist have varying strength. For example, California allows people to opt out of automated profiling, while Utah does not. In addition, California and Vermont require data brokers to register with the state, providing some degree of transparency for individuals, regulators, and the public. Nevada, meanwhile, mandates data brokers to permit individuals to opt out of the sale or transfer of their personal information. + +___`Many U.S. commercial data protection laws cover only specific sectors and types of companies, which leaves certain underregulated entities — data brokers, digital platforms, and mobile apps — free to process, share, and store an extensive range of sensitive personal information.`___ + +The FTC can act against companies, including data brokers, engaging in “unfair or deceptive acts or practices” across the U.S. economy, but there are limits to its enforcement power. Historically, it has focused primarily on companies that engage in deceptive behavior or misrepresent their privacy policies, leading to a system of “notice and consent,” in which companies require users to click “I accept” to data collection in order to access basic services. But an emphasis on notice and consent can incentivize companies to publish vague language that promises little-to-no privacy protections. As the Information Technology and Innovation Foundation observed in 2015: “If you do not want the FTC to come after you, do the bare-minimum on privacy.” As a result, many data brokers, such as Oracle and Epsilon, openly admit to aggregating data from thousands of companies in their privacy policies. + +Most agree the traditional notice-and-consent model does not effectively safeguard user privacy or restrict data brokerage practices. Even if individuals click “I consent” to use a first-party mobile app, they have no direct relationship with third-party data brokers and typically cannot control the future resale or use of their personal information. Additionally, nearly all digital platforms share personal information with third parties, leaving individuals with few options but to accept blanket data transfers if they want to engage in fundamental functions such as electronic communications, work, social or political activities, e-commerce, and rideshares. + +Reflecting these concerns, the FTC filed a complaint against Kochava in August 2022 to challenge its sale of the geolocation history of hundreds of millions of people, which could reveal visits to sensitive locations like reproductive health clinics or addiction recovery centers. Notably, the FTC argued Kochava’s practices are unfair, rather than deceptive, under Section 5 of the FTC Act — a departure from the traditional notice-and-consent approach. In August 2022, the FTC also issued an Advance Notice of Proposed Rulemaking (ANPR) seeking public comment on topics that could directly affect data brokers, including business models “that are premised on or incentivize persistent tracking and surveillance.” However, a federal court dismissed the FTC’s complaint against Kochava in May 2023, writing that “the alleged privacy intrusion is not sufficiently severe to constitute substantial injury,” and the ANPR is not guaranteed success either. The FTC filed an amended complaint against Kochava the following month, but bipartisan FTC commissioners have also recognized the limits of existing enforcement authority and have called on Congress to pass legislation to directly regulate data privacy practices and strengthen agency resources. + +#### Voluntary and Compelled Disclosure of Personal Information by U.S. Government Agencies + +As with commercial privacy laws, Congress has enacted several pre-internet statutes that limit the U.S. government’s access to data held by private companies. But Congress has not passed major reforms in years, and the recent evolution of the data brokerage industry has offered government agencies a loophole to work around outdated and uneven rules on digital surveillance. + +For example, the Electronic Communications Privacy Act (ECPA) of 1986 prevents certain types of businesses, such as phone companies and internet service providers, from voluntarily disclosing U.S. communications content and metadata to U.S. government agencies without a court order or subpoena. However, the ECPA does not apply to third-party data brokers or app developers, which largely did not exist back in 1986, leaving gaps where phone companies can sell “non-content” personal information to data brokers, who, in turn, can sell to government agencies outside the legal process. In 2018, Senator Ron Wyden called attention to Verizon, AT&T, T-Mobile, and Sprint’s sales of customer cell phone geolocation data to companies like LocationSmart, Zumigo, and Securus Technologies, which subsequently sold it to law enforcement agencies. In 2014, the Obama White House recommended modernizing the ECPA to remove “archaic distinctions” in privacy protections, but one decade later, the statute has not been substantially amended. + +In the absence of a statutory framework that directly regulates data brokers’ sales, U.S. government agencies are still bound by constitutional constraints that provide minimum processes to protect individual privacy and civil liberties. However, technological advancements raise legal uncertainties about the application of data brokerage contracts to traditional legal jurisprudence, especially regarding Fourth Amendment requirements for government agencies to obtain probable cause warrants to conduct “unreasonable searches and seizures.” While the Supreme Court has historically defined “unreasonable searches and seizures” as violating a “reasonable expectation of privacy,” commercial digital surveillance has eroded societal expectations of privacy over time. + +To determine what constitutes a reasonable expectation of privacy, courts have traditionally distinguished between public and private places, generally holding that Americans possess a lesser expectation of privacy in at least some public settings. In line with this traditional viewpoint, Clearview AI reportedly does not require U.S. government agencies to obtain warrants to access its facial recognition database, which draws billions of images from publicly available sources. Similarly, U.S. law enforcement agencies have not obtained warrants before accessing Vigilant Solutions’s and Thomson Reuters’s vehicle location databases, which automatically scan license plates in public areas. Nor have government agencies sought warrants to scan billions of public social media posts and images for specific keywords or people, aided by analytics companies like Palantir and Giant Oak. + +___`Technological advancements raise legal uncertainties about the application of data brokerage contracts to traditional legal jurisprudence, especially regarding Fourth Amendment requirements for government agencies to obtain probable cause warrants to conduct “unreasonable searches and seizures.”`___ + +The U.S. data brokerage industry also benefits from the third-party doctrine, or a legal notion that people do not possess a reasonable expectation of privacy from government agencies in information that they voluntarily share with third parties. In Carpenter v. United States (2018), the Supreme Court rejected the DOJ’s argument that the third-party doctrine should extend to cell site location information collected over a seven-day period, pointing out that smartphones are now a de facto requirement for modern society and that individuals cannot voluntarily choose to hand over unlimited geolocation data. However, the Carpenter decision was narrow, and it did not “call into question conventional surveillance techniques and tools, such as security cameras” nor “collection techniques involving foreign affairs or national security.” + +While Carpenter leaves a fair amount of gray area on the constitutionality of data brokerage partnerships with U.S. government agencies, these activities have nevertheless continued. In 2021, the DIA stated in a memo that it “does not construe the Carpenter decision to require a judicial warrant endorsing purchase or use of commercially-available data for intelligence purposes.” In 2020, Chad Mizelle, then acting general counsel at the DHS, arrived at a similar conclusion. The January 2022 ODNI report acknowledged that intelligence agencies have purchased the same types of cell phone geolocation records that Carpenter contested, stating that the sensitivity of such data may warrant additional safeguards. Some legal experts, like Carey Shenkman, Sharon Bradford Franklin, Greg Nojeim, and Dhanaraj Thakur of the Center for Democracy and Technology, argue that “the broad language of the [Carpenter] opinion suggests that the government must also obtain a warrant in order to access sensitive personal information in contexts beyond the facts of the case.” Yet others, such as Berkeley Law’s Orin Kerr, state that the Fourth Amendment does not require U.S. government agencies to have any justification or warrant to purchase information from a willing seller. + +Technological advancements also create legal uncertainties around the constitutionality of geofence warrants. In United States v. Chatrie (2022), a Virginia federal court found a geofence warrant identifying all smartphones signed into Google within 150 meters of a bank robbery unconstitutional. The court ruled that law enforcement lacked probable cause to broadly track the geolocation history of every nearby individual during that time frame but, emphasizing the “novel” nature of geofencing technology, allowed the government to proceed with the evidence under the “good faith” exception in United States v. Leon. In United States v. Rhine (2023), the D.C. District Court upheld the constitutionality of a geofence warrant to track January 6 rioters at the U.S. Capitol but did not address whether the defendant had a reasonable expectation of privacy in his smartphone geolocation history. + +Data brokers offer a path to work around these legal uncertainties, allowing law enforcement officers to sidestep geofence warrants by selling similar information (such as devices in specific locations at certain times) in ways that are much broader than a traditional warrant might allow. The judicial branch alone cannot resolve these legal issues. While courts interpret existing legal frameworks, they do not create new ones; rather they often either address overarching concepts like the Fourth Amendment or issue specific rulings like in Carpenter. Hence, Congress must act to both establish new privacy safeguards and amend existing statutes to account for emerging technologies. + + +### The Commercial and Government Surveillance Ecosystem in the European Union and China + +Advancements in data collection have exacerbated geopolitical tensions. It is difficult to preserve global trust if too many governments are escalating their own intelligence activities while also being averse to surveillance by other nations. Individuals and multinational companies, in turn, bear the immediate consequences of this lack of trust, especially if governments respond to extraterritorial access to personal information by cutting off cross-border exchanges of information and commerce. + +Most large economies like the European Union, Canada, and China have enacted national laws that regulate how technology platforms collect, process, and share personal information. The United States, which does not have a comprehensive federal commercial privacy law, is an outlier. Despite this, all four governments have acted as customers as well as regulators of commercial data brokers, though the size of the industry in each country varies widely. In December 2022, the Organization for Economic Cooperation and Development (OECD) released nonbinding principles in the Declaration on Government Access to Personal Data Held by Private Sector Entities, in which 38 OECD countries pledged to follow democratic practices like transparency, accountability, and redress when compelling access to private sector data. The guidelines acknowledged, but did not specifically address, stakeholder calls for multilateral engagement on voluntary government access to commercial or publicly available personal information. + +___`It is difficult to preserve global trust if too many governments are escalating their own intelligence activities while also being averse to surveillance by other nations.`___ + +If the United States can demonstrate willingness to implement major domestic restrictions on commercial data broker purchases, there is significant opportunity to illustrate shared values on privacy and promote global trust in cross-border data flows. As the data brokerage industry continues to operate globally, it is also important to understand how non-U.S. governments procure commercial datasets and explore ways to promote consistent and interoperable global frameworks. + +#### Constraints on the EU Data Brokerage Market under the General Data Protection Regulation + +Under the General Data Protection Regulation (GDPR), data brokers face stricter legal constraints in the European Union than in the United States. The data brokerage market exists in the European Union, but on a smaller scale. The EU market is estimated to be around €100 billion ($116 billion) compared to a U.S. market of over $200 billion. Around 2018, Privacy International exercised its GDPR right to access data held by several major U.S.-based data brokers like Acxiom, Oracle, and Equifax, ultimately filing complaints to UK and EU data protection authorities over alleged violations of GDPR provisions on purpose limitations, consent, transparency, and more. The UK Information Commissioner’s Office subsequently audited several major data brokers, including Acxiom, Data Locator Group, GB Group, Experian, Equifax, and Callcredit. Around the same time, France’s Commission Nationale de l’Informatique et des Libertés (CNIL) audited over 50 data brokers and ad-tech companies. + +In 2020, the Norwegian Data Protection Authority fined Grindr €6.5 million ($7.1 million) for sharing personal information, including geolocation, age, gender, and sexual orientation, with third-party marketing entities between at least 2018 and 2020 without a valid consent mechanism. The same year, the Privacy Collective and others filed a class action lawsuit for €11 billion ($12 billion) against Oracle and Salesforce in the Netherlands, alleging that their use of ad-tech trackers and real-time bidding systems violated the GDPR. The Privacy Collective’s suit was dismissed for lack of standing, but future litigation is possible. In 2022, the French CNIL fined Clearview AI €20 million ($22 million) for scraping EU personal information in violation of the GDPR, following previous charges by data protection authorities in Italy, Greece, and the United Kingdom. In other words, the GDPR’s transparency and data minimization requirements expose EU data brokers to heavier compliance costs and higher possibilities of litigation, making the industry riskier and less profitable than in the United States. + +Since 2018, the GDPR has established legal responsibilities for most public and private sector entities, including data brokers, that process information “relating to an identified or identifiable natural person.” The GDPR applies to some types of pseudonymized information, or information that “can no longer be attributed to a specific data subject,” and primarily excludes datasets where individuals cannot possibly be identified or reidentified in the future. In addition, GDPR protections cover public records and publicly available information. Overall, the GDPR regulates a much broader swath of personal information than what most recent U.S. legislative measures propose (see Section VII), which can constrain how EU data brokers initially collect and store commercial datasets, social media analysis, and public surveillance imagery. + +Although the GDPR does not directly apply to most law enforcement and intelligence operations, it still requires data brokers to have legal justification to sell personal information to government agencies — unlike the U.S. system, which places few hard restrictions on voluntary disclosure. Article 6 of the GDPR allows covered entities to process data to “protect the vital interests of the data subject or of another natural person” and perform “task[s] carried out in the public interest.” Article 23 of the GDPR allows member states to pass legislation to restrict the GDPR for national security, defense, and other “important objectives of general public interest.” The GDPR’s purpose limitations prevent entities from collecting personal information for one reason, such as to provide a requested service, but then using it for secondary purposes, such as selling it to law enforcement through data brokers, without an additional legitimate reason. Nonetheless, the permitted categories are broad, so law enforcement agencies overall can still purchase commercial datasets. + +In addition to purpose limitations, Article 5 of the GDPR requires data brokers to process personal information “fairly and in a transparent manner” and grants individuals the rights to access, correct, and delete data after they are processed. Article 14 requires data processors to disclose the names or categories of recipients of personal information, which could increase visibility into third-party data transfers. Furthermore, Article 22 allows individuals to opt out of automated profiling that could “significantly” affect them, which could limit some data brokerage activities but does not entirely prohibit behavioral advertising. Article 35 mandates entities perform “data protection impact assessment[s]” for processing activities “likely to result in a high risk to the rights and freedoms of natural persons,” which could affect development of tools by third-party data brokers for law enforcement or intelligence use. + +Although the GDPR has reduced the potential for privacy risks stemming from the EU data brokerage industry, it has not eliminated them entirely. For instance, OnAudience identified 1.4 million people who had searched for LGBTQ+ rights content ahead of the 2019 Polish parliamentary election, according to the Irish Council for Civil Liberties. While the data broker claimed its objective was to target voters with information about pro-equality campaigns, any data breaches or secondary uses of highly sensitive information like sexual orientation or gender identity could potentially result in involuntary outing or discrimination. The GDPR has also experienced challenges in enforcement timing and funding, both at the international and national levels. As of March 2022, Ireland’s Data Protection Authority had resolved only around 65 percent of cases involving cross-border data transfers since the GDPR became effective in 2018. In addition, the European Data Protection Board (EDPB) and national-level data protection authorities (DPAs) have faced procedural and communications challenges with regulatory enforcement. + +___`Although the GDPR has reduced the potential for privacy risks stemming from the EU data brokerage industry, it has not eliminated them entirely.`___ + +#### Efforts toward Member State Harmonization on Law Enforcement and Privacy + +Despite the constraints the GDPR imposes on the data brokerage industry, some EU member states have continued to purchase commercial datasets and automated open-source intelligence from private vendors, raising privacy concerns. In 2022, the Dutch supervisory committee Commissie van Toezicht op de Inlichtingen en Veiligheidsdiensten (CTIVD) revealed the country’s intelligence agencies Algemene Inlichtingen- en Veiligheidsdienst (AIVD) and Militaire Inlichtingen- en Veiligheidsdienst (MIVD) had contracted private companies to analyze commercially available personal information and automatically scan open-source information. However, a general lack of transparency across EU intelligence and national security agencies means the full extent of their data broker partnerships is not publicly known, similar to the ongoing situation in the U.S. market. + +Article 4(2) of the Treaty Establishing the European Union (TEU) states that “national security remains the sole responsibility of each Member State,” though EU law generally overrides any conflicts with national law. Some EU member states have enacted statutes that affect data brokerage relationships. For example, Articles 21 and 41 of the Dutch Intelligence and Security Services Act, or Wet op de inlichtingen- en veiligheidsdiensten (WIV), require authorities to receive permission to engage in the systematic collection of publicly available information, including commercially available datasets. Nonetheless, since the European Union primarily leaves intelligence and law enforcement operations to individual nations, local rules around government transactions with commercial data brokers are fragmented and not always publicly clear. Still, attempts to standardize EU-wide safeguards for civil liberties and national security, such as the European Convention on Human Rights (ECHR), Charter of Fundamental Rights (CFR), Convention 108, and the Law Enforcement Directive, carry implications for the regional data brokerage market. + +Article 8 of the CFR affirms individuals’ rights to personal data protection in the European Union, stating that processing should take place only with a person’s consent or “some other legitimate basis laid down by law.” Furthermore, Article 8 of the ECHR prohibits government entities from interfering with a person’s “private and family life” except when “necessary in a democratic society in the interests of national security, public safety or the economic well-being of the country, for the prevention of disorder or crime, for the protection of health or morals, or for the protection of the rights and freedoms of others.” But it is not always possible to draw a clear line at “necessary” or “democratic” in the context of government transactions with commercial data brokers, especially when balancing civil liberties and national security interests. Although the CFR and ECHR — unlike the U.S. Constitution — explicitly recognize privacy as a fundamental human right, the application of traditional rights to new technological developments remains ambiguous. + +The Council of Europe, an international organization with 46 countries including 27 EU member states, amended its treaty on individual privacy and data processing in 2018. Article 11.3 of the Council of Europe’s amended Convention 108+ states that personal information may be processed for national security or defense activities only “by law and only to the extent that it constitutes a necessary and proportionate measure in a democratic society.” Article 6 states that more sensitive categories of data — genetic information, criminal history, race, and health information — may be processed only with appropriate legal safeguards. But Article 11 permits data processing for broad categories, including “the prevention of threats to national security and public safety,” which do not clearly define EU government restrictions on access to datasets voluntarily sold by third-party brokers. + +___`It is not always possible to draw a clear line at “necessary” or “democratic” in the context of government transactions with commercial data brokers, especially when balancing civil liberties and national security interests.`___ + +The European Union’s Law Enforcement Directive (LED) also sets out requirements for authorities to process personal information in a “lawful, fair and transparent” manner that “constitutes a necessary and proportionate measure in a democratic society.” Article 8 of the LED allows data processing to occur only when necessary, based on existing law, and for a legitimate purpose. Article 11 prohibits the use of automated profiling for “adverse” legal decisions without robust safeguards. However, the LED generally does not apply to intelligence authorities and, as such, does not protect individuals from all types of commercial transactions with third-party data brokers. + +The European Union has debated the acceptable parameters of facial recognition for law enforcement purposes, including in the context of commercial databases like Clearview AI. In April 2021, the European Commission presented a draft Artificial Intelligence (AI) Act that seeks to prohibit the use of real-time facial recognition in public spaces by law enforcement, except when strictly necessary to mitigate physical threats, prosecute criminal offenses, or locate missing victims. Due, in part, to concerns over the broad scope of these exceptions, the European Council approved an amended version in December 2022 that proposed to ban “remote biometric identification systems that are or may be used in publicly or privately accessible spaces, both offline and online.” This update expands the proposed prohibition from real-time surveillance to ex post identification, which would directly affect firms like Clearview AI that rely on ex post facial recognition. Once the AI Act is finalized and enacted, it will become one of the world’s first major AI regulations and could carry implications for data brokers that sell facial imagery in not only the European Union but the United States as well. + +#### Schrems II and GDPR Data Adequacy: How Data Brokers Could Create Uncertainty for Cross-Border Data Flows + +In Schrems I and II, the CJEU invalidated the Safe Harbor and Privacy Shield data transfer agreements between the European Union and United States due to concerns that U.S. government surveillance practices did not meet the necessity and proportionality standards required by EU law. In particular, the CJEU cited the U.S. government’s ability to conduct bulk surveillance of EU individuals under Section 702 of the Foreign Intelligence Surveillance Act (FISA) and Executive Order 12333. In response, the Biden administration released a new EU-U.S. Data Privacy Framework (EU-U.S. DPF) in October 2022 that directly adopted the same necessity and proportionality language found in the CFR, Convention 108+, and LED. The EU-U.S. DPF also creates a new redress mechanism to allow individuals within designated countries to request review of suspected U.S. government signals intelligence collection by the ODNI, subject to the oversight of a new Data Protection Review Court within the DOJ. However, the EU-U.S. DPF remains susceptible to future court challenges, and the United States still lacks comparable commercial privacy laws and has not received an adequacy determination under the GDPR. + +Going forward, it will be interesting to see whether EU courts and data protection authorities will shift their focus to the growing data brokerage industry in the United States, especially as technological advancements in the private sector continue to enhance U.S. government surveillance. The European Union’s transactions with commercial data brokers pose a challenge to mitigating similar U.S. practices, as it is difficult to place geopolitical pressure on other countries to refrain from voluntary data access when the full scope of engagement on both sides is unknown. Fragmented intelligence statutes between EU member states can lead to less robust oversight of government purchases of personal information or algorithmic inferences, even if the GDPR reduces the availability of those commercial datasets overall. + +The European Commission has deemed Canada’s level of data protection, but not the United States’, as “essentially equivalent” to the European Union’s, allowing Canada-EU cross-border data transfers greater legal certainty under Article 45 of the GDPR. However, like the United States, Canada has accessed commercial or publicly available information from data brokers and is a member of the Five Eyes alliance. Canada’s Criminal Code generally requires domestic law enforcement agencies to receive authorization to access personal information, but their interactions with data brokers are not publicly clear. In a 2019 annual report, the Canadian National Security and Intelligence Review Agency found that the Canadian Security Intelligence Service used publicly available geolocation data without a warrant, even though it “lacked the policies or procedures” to ensure the legality of such access. The Security Intelligence Service and the Communications Security Establishment of Canada, the nation’s other major national security agency, both adhere to lighter due process requirements in their respective statutes compared to in the Criminal Code. + +___`It is difficult to place geopolitical pressure on other countries to refrain from voluntary data access when the full scope of engagement on both sides is unknown.`___ + +Canada’s Personal Information Protection and Electronic Documents Act (PIPEDA) governs how private companies process and share information, which limits but does not fully prevent commercial transactions with data brokers. After the PIPEDA became effective in 2004, at least one broker, R. L. Polk Canada Inc., announced it would no longer process personal information in Canada. Clearview AI also terminated its services with the Royal Canadian Mounted Police in July 2020 after the Office of the Privacy Commissioner began investigating whether its use violated the PIPEDA and Privacy Act. However, the PIPEDA does not cover de-identified information and still allows firms like Cornerstone, Acxiom, Oracle Canada, Conway, Epsilon Data Management, and InfoCanada to engage in direct marketing or commercial data sharing. Section 7(3) of PIPEDA even allows private entities to voluntarily share personal information with law enforcement agencies without notifying or obtaining consent from the affected person. + +Even if the EU’s Schrems I and II and GDPR adequacy decisions have not focused on the relationship between data brokers and government agencies, multilateral dialogues or consensus on safeguards and privacy principles could help improve trust between partner nations like the United States and Canada. All three governments have laid down some guardrails for compelled disclosure of data, but voluntary access to commercial or public information generally has not received the same level of attention or legal protections. + +#### China’s Data Protection and Data Localization Landscape + +China’s surveillance apparatus relies heavily on private companies that collect and process personal information from both Chinese and non-Chinese individuals. Several statutes codify this relationship, giving China extensive control over the information companies store under its jurisdiction. In response to concerns over China’s data localization and national security laws, the United States, European Union, Canada, and other nations have blocked TikTok on government-issued devices. In May 2023, Montana became to first state to issue a blanket ban on all TikTok operations and app downloads within state borders, which, pending legal challenges, will come into effect in January 2024. Because TikTok’s parent company, ByteDance, is based in China, legislators fear the CCP could access information about U.S. individuals that mobile apps, specifically TikTok, transfer or store within Chinese borders. There is no clear public evidence of direct CCP access through TikTok to date, but legislators have generally cited China’s 2017 National Intelligence Law, which requires individuals and organizations to “support, assist, and cooperate with state intelligence work according to law,” as a primary risk factor. + +In addition to the National Intelligence Law, China’s Cybersecurity Law requires internet platforms that operate within its national borders to assist law enforcement in identifying content “endangering national security, national honor, and national interests.” These categories are fairly expansive. The Cybersecurity Law also imposes explicit data localization requirements, forcing companies to store “personal information or important data” collected in China on domestic servers. Some U.S. technology platforms ceased operations in China after the statute became effective in 2017, but others changed their policies to store data and decryption keys on local state-owned servers. The updated Multi-Level Protection Scheme (MLPS 2.0) also allows the government to monitor domestic private networks for national security threats, facilitating access to all data stored on servers or transmitted on networks within China. + +Enacted in June 2021, the Data Security Law (DSL) further strengthens government access to user data, allowing law enforcement to compel private businesses that operate within China to disclose personal information. The DSL broadly defines key terms such as “core data” and “important data,” which gives authorities oversight over a range of user data like geolocation, browsing activity, financial records, and communications. For example, “core data,” which receives the greatest protections, refers to information that relates to significant public interests, national or economic security, or citizens’ welfare. Data localization laws present privacy concerns for individuals located within the United States that communicate with those in China, as government agencies could potentially read cross-border electronic communications stored in local data centers. This legal framework, in parallel with the burgeoning U.S. and Chinese data brokerage industries, gives the Chinese government significant resources to surveil individuals both within and outside of China. + +Beyond legal authority to compel disclosure of personal information, the CCP has additionally shifted to contracting private companies that voluntarily sell datasets or analytics software to surveil citizens. China’s Ministry of Public Security has reportedly allocated billions of dollars to private sector surveillance technologies under the SkyNet and Sharp Eyes plans. Among these are AI start-ups SenseTime and CloudWalk, which developed facial recognition systems that could identify members of the Uyghur community. According to procurement documents, Wuhan law enforcement has sought out commercial tools to identify people in public spaces, along with their internet, phone, and location history. Shanghai law enforcement, meanwhile, hired Shanghai Cloud Link and other firms to analyze posts and photos from Twitter and Facebook, reportedly combining commercial or public-facing data with government records like driver and voter registries to identify anonymous online accounts. + +In 2019, Forbes reported that some Chinese data brokers sold access to personal information online to any willing buyer, not just government entities, for a few dollars. It is not clear how enactment of the Personal Information Protection Law (PIPL) in 2021 will affect the Chinese data brokerage industry. The PIPL, which includes provisions similar to those of the GDPR, requires private companies to process sensitive personal information only when necessary for approved purposes and limit data retention. It also mandates companies obtain individuals’ consent to process sensitive personal information, which includes data that could harm “personal dignity” or “personal or property safety.” It requires companies that use personal information to conduct algorithmic decisionmaking to follow transparency measures, conduct impact assessments, and allow individuals to opt out of targeted ads or solely automated decisions. Although the DSL and Cybersecurity Law allow government access to private sector datasets, these provisions could reduce the amount of information first-party platforms and data brokers process within China to begin with, depending on compliance and enforcement in practice. + +___`Beyond legal authority to compel disclosure of personal information, the CCP has additionally shifted to contracting private companies that voluntarily sell datasets or analytics software to surveil citizens.`___ + +While U.S. due process requirements under the Fourth Amendment and the ECPA are outdated, they generally provide stronger civil liberties protections than Chinese government agencies follow when compelling personal information from private companies. However, the relative strength of U.S. protections becomes less relevant if law enforcement agencies can bypass them by purchasing commercial data from brokers. Voluntary disclosure creates a significant gap the United States could close to strengthen civil and human rights, promote the long-term sustainability of cross-border data flows, and strengthen geopolitical alliances. Without stronger protections for uncompelled access to commercial datasets, it is more challenging for the United States to discourage other countries from engaging in similar practices and to distinguish itself as a global leader in human rights values. + + +### Recent U.S. Legislative Developments + +#### Federal Commercial Privacy Legislation + +Over the past few years, Congress has proposed dozens of bills that aim to limit data collection, retention, and transfers in the private sector. Some examples include the ADPPA, Consumer Online Privacy Rights Act (COPRA), and SAFE DATA Act, all of which propose a baseline for data minimization, or general limits on companies to collect, process, and share personal data only as necessary to provide a user service or fulfill approved purposes such as fraud or malware detection. Most proposals to update commercial privacy standards would also grant U.S. individuals the right to access, request, and delete personal information held by private companies, as EU individuals possess under the GDPR. These proposals could prevent both first- and third-parties from collecting extraneous data solely for the purpose of resale or targeted advertising and require them to obtain affirmative consent to transfer data to additional parties. + +Many major bills in the 116th and 117th Congresses excluded de-identified, aggregated, and publicly available data from their protections. However, as previously discussed, data brokers often collect and package such data or sell inferred insights in aggregate form, so these bills could exempt some business practices that pose privacy problems. In addition, there is ongoing debate over which data processing purposes should be either categorically or conditionally permitted. For example, the California Privacy Rights Act, but not the ADPPA, explicitly allows companies to process personal information for advertising or marketing services and analytic services, provided that the data are “reasonably necessary and proportionate” to the original purpose of collection. Federal commercial privacy legislation could indirectly reduce the amount of personal information available for domestic government agencies to purchase from brokers, but would not directly impose new restrictions for those that wish to do so. + +#### Proposals to Modernize Government Access to Personal Data + +Compared to its commercial privacy legislation efforts, Congress has introduced a smaller range of bills aimed at restricting the U.S. government from purchasing datasets from commercial brokers. The Fourth Amendment Is Not For Sale Act, introduced in 2021, is the most high-profile such initiative to date. The bill’s premise was fairly straightforward: if laws like the ECPA or FISA would otherwise require U.S. government agencies to obtain a warrant or court order to compel traditional communications service providers to disclose Americans’ data, the same legal procedures should be mandated to purchase that information from a data broker. + +The Fourth Amendment Is Not For Sale Act would not apply to all transfers between data brokers and U.S. government agencies, including those that lack an exchange of money or “anything of value.” It also would not protect non-U.S. individuals from the sale of personal information to U.S. intelligence or law enforcement agencies. Moreover, depending on interpretation, the bill’s definition of “covered customer or subscriber record” could exclude some types of personal information, such as biometrics, algorithmic inferences, publicly available data, or data relating to individuals who are not direct customers of a service. It prohibits government agencies from purchasing “illegitimately obtained information,” which companies obtain either deceptively or in violation of terms of service agreements. This could prevent some, but not all, transactions, especially since many privacy policies openly disclose (in vague terms) transfers of personal information to third parties. + +___`Federal commercial privacy legislation could indirectly reduce the amount of personal information available for domestic government agencies to purchase from brokers, but would not directly impose new restrictions for those that wish to do so.`___ + +While the Fourth Amendment Is Not For Sale Act focuses on the sale of information to the U.S. government, several export control bills emerged in the 117th Congress that would block U.S. data brokers from selling certain categories of personal information to specific foreign governments. The Protecting Military Servicemembers’ Data Act aimed to prohibit data brokers from selling personal information related to military personnel to countries like China, Russia, and Iran. In addition, the Protecting Americans’ Data from Foreign Surveillance Act, reintroduced in June 2023, would prevent private businesses from transferring sensitive U.S. personal information to certain countries such as China and create a list of low-risk countries where data can flow freely. + +In the 118th Congress, legislators have proposed several bills in response to concerns that the CCP could compel ByteDance to hand over TikTok data or control of its content moderation algorithm. For example, the reintroduced ANTI-SOCIAL CCP Act would direct the president to block social media companies, namely TikTok, that use certain algorithms and are located in a handful of countries, including China. The DATA Act would amend the International Emergency Economic Powers Act to allow restrictions on free flows of sensitive personal information, paving the way for the United States to ban TikTok or future Chinese companies. Also motivated by TikTok, the RESTRICT Act would direct the secretary of commerce to identify and potentially prohibit technology transactions relating to companies under the jurisdiction of six countries including China. The White House has endorsed the RESTRICT Act, even though it could further disrupt international data flows by creating another global adequacy system alongside the GDPR and the PIPL. + + +### Next Steps to Regulate U.S. Data Brokers and Their Interactions with Government Agencies + +Because the U.S. data brokerage industry poses systemic risks to privacy and national security, it requires a comprehensive approach to rein in excessive data transfers across the ecosystem. Without across-the-board rules on how all U.S. mobile apps and data brokers transfer sensitive personal information, banning or divesting any single company, like TikTok, would not effectively prevent data leakage to foreign governments like the CCP. It is also worth noting that neither a divestiture nor forced data localization would stop U.S. domestic agencies from accessing Americans’ sensitive personal information — whether through TikTok or data brokers — in ways that could significantly impact privacy and civil liberties. + +Instead, the United States needs a multifaceted strategy that (a) imposes boundaries on how all U.S. companies process personal information, (b) places guardrails on U.S. government transactions with data brokers, (c) enforces purpose limitations on data transfers both within and outside the United States, while also protecting cross-border data flows, and (d) improves transparency and grants both regulators and individuals greater control over personal information. As Thorsten Wetzling and Charlotte Dietrich observe, the German Federal Constitutional Court, or the Bundesverfassungsgericht (BVerfG), put forward a double-door model in 2012 that demonstrated privacy safeguards on both sides of the data transfer relationship — the private sector seller and government buyer. In a similar fashion, both U.S. data brokers and government agencies now require greater accountability in a modern digital age. While Congress could implement some data privacy regulations in the short term, it is also important to consider broader open questions — such as the balance between safeguarding publicly available information, cross-border data flows, and free and open expression — that may require additional dialogue and research in the long term. + +#### Short-Term Actions: Boundaries on Data Brokers + +_Federal comprehensive privacy legislation is necessary to regulate how all U.S. businesses, including data brokers, treat personal information._ + +The growth of the U.S. data brokerage industry is a result of an outdated privacy legal system that urgently needs modernization to keep up with more than 100 nations, including EU member states, Canada, and China, that have already established nationwide rules for how digital platforms process personal data. As a baseline, any forthcoming commercial privacy legislation should limit first- and third-party companies to collecting, storing, and transferring personal data only as necessary to offer a product that users explicitly request — and delete that information once the transaction or service is completed. This general rule should apply to both original data points and any related algorithmic inferences, including aggregate data that could potentially reidentify individuals or pose substantial privacy risks. In addition, such limitations on processing, retention, and transfers should apply to personal information that is widely accessible on the internet or through other means in cases where an individual’s right to privacy outweighs any public interest in that data. + +All U.S. companies need clear rules on handling information, but commercial data brokers require enhanced transparency and oversight measures. Congress should require data brokers in all 50 states to register with the FTC, similar to existing provisions in California and Vermont. In turn, the FTC should create a Do Not Track portal to allow individuals to opt out of all data brokerage transfers in a single place. This concept has already been proposed in various forms, dating back to an FTC preliminary staff report on consumer privacy (2010), a Government Accountability Office report on information resellers (2012), an FTC report on data broker transparency (2014), the draft Consumer Data Protection Act (2018), the Data Broker Accountability and Transparency Act (2020), the SAFE DATA Act (2021), and most recently the ADPPA. The FTC already maintains a Do Not Call registry as a centralized portal for individuals to opt out of telemarketing calls, and a Do Not Track portal would be a logical extension of this concept. + +Finally, all digital platforms should publicly disclose the specific names of third parties they transfer personal information to, along with the third parties’ contact information, categories of data involved, and general purposes of transfer. Such disclosures could bring clarity to otherwise opaque data brokerage practices. Additionally, all individuals should have the right to understand how their personal information is processed and request to correct or delete it. Even if most internet users do not read privacy policies (and should not have to), more detailed public statements could benefit watchdog organizations and regulators, like the FTC, which have used terms and conditions to identify unfair or deceptive acts or practices under the FTC Act. + +_Any forthcoming legislation should carefully craft a definition of “data broker” that extends beyond commercial transactions._ + +Data brokers operate under many different business models. The legal definition of a data broker is critical because it will determine which specific entities would be subject to any enhanced transparency or accountability requirements, like the registration and opt-out mechanisms proposed here. While some proposed frameworks like the Fourth Amendment Is Not For Sale Act focus on transactions involving money or other resources of value, data brokers can operate outside traditional financial exchanges. Kochava and Clearview AI, for example, have offered free trials or demos of individuals’ real-time location information and facial recognition photos, respectively. Data brokers could also voluntarily disclose sensitive personal information to law enforcement agencies without a tangible exchange in hopes of gaining future political goodwill or even to advance their own ideological beliefs — for example, opposition to immigration or abortion. + +The FTC’s 2014 definition of data brokers as “companies that collect consumers’ personal information and resell or share that information with others” can serve as a possible model for data sharing that may or may not involve an exchange of anything of value. However, as data collection and aggregation techniques continue to evolve, it will become crucial to monitor trends in the broader data brokerage industry and periodically revise legal terms as necessary. + +#### Short-Term Actions: Boundaries on Government Agencies + +_Congress needs to pass clear rules to govern how U.S. government agencies procure information from private sector entities._ + +Because Congress has not significantly updated the U.S. privacy legal framework in decades, there is a significant amount of legal uncertainty over the application of traditional statutes to advanced commercial surveillance methods. To bridge these gaps, Congress should prioritize additional research into U.S. government commercial transactions with data brokers and ultimately establish bright-line rules to mitigate the potential for privacy or civil liberties abuses. Unless and until robust legal processes are in place, U.S. government agencies should either impose a temporary moratorium or voluntarily obtain a warrant in order to conduct transactions with data brokers, scrape photos or keywords from publicly available sources, and use facial recognition technologies on commercial databases. + +_U.S. government agencies must improve public transparency and oversight around data access practices._ + +The Obama administration took some measures to improve transparency following the Snowden disclosures, including by declassifying some redacted documents related to FISA surveillance and participating in public hearings. But, in general, the covert nature of national security and law enforcement operations means most Americans are not notified of government surveillance, and many data brokerage transactions may not be disclosed to the public. The January 2022 ODNI report revealed that even “the IC does not currently have sufficient visibility into its own acquisition and use of CAI across its 18 elements,” demonstrating an absence of internal accountability mechanisms as well. The United States is currently undergoing a serious reckoning about racial profiling in state and local law enforcement partially due to increased public visibility, as bystanders can capture videos in public areas using their smartphones and many local police officers wear body cameras. Because many federal operations lack similar external and internal transparency, it is more challenging to exert public pressure to implement critical changes that could benefit society. + +Members of Congress previously introduced the Government Surveillance Transparency Act, which would lift most nondisclosure orders issued to technology companies after the surveillance period ends, and the NDO Fairness Act, which would establish necessity requirements to obtain gag orders and limit their duration to 60 days. The NDO Fairness Act, which passed the House of Representatives in 2022, would also require the DOJ to annually report the quantity and acceptance rates of nondisclosure order applications, as well as the number of individuals affected. To further enhance transparency, after an investigation concludes, federal agencies should directly notify all identifiable individuals whose sensitive commercial data (such as precise geolocation, communications, and biometrics) were obtained, with limited exceptions where disclosure might reasonably and significantly impact national security. + +The Office of the Director of National Intelligence releases the annual Statistical Transparency Report Regarding Use of National Security Surveillance Authorities, which provides generalized figures on the use of compelled mechanisms, including FISA and national security letters. As a next step, all federal agencies could release annual transparency and equity reports that describe any voluntary procurement of commercial datasets or algorithmic insights from private data brokers. At a minimum, these disclosures should include high-level statistics on the frequency, purpose, and context of data brokerage transactions; the specific identities and contact information of sellers; demographic trends within purchased datasets; and percentage of data access requests that contribute to adverse actions like an arrest. By increasing transparency, it is possible to strengthen public accountability for potential abuses of power or gratuitous access to sensitive personal information, inaccurate or discriminatory outcomes, and disparate impact on historically marginalized communities. + +_The FTC and the Privacy and Civil Liberties Oversight Board need sufficient resources to carry out enforcement and oversight duties._ + +Although the FTC has decades-long expertise in data privacy and consumer protection, resource constraints may force it to make tough choices between litigating, settling, and passing over cases. In 2019, the FTC had around 1,100 full-time employees to oversee consumer protection across the entire economy, with only about 50 focused on data privacy. In comparison, the UK Information Commissioner’s Office had around 700 employees exclusively dedicated to data protection, despite having a smaller data brokerage market, a GDP approximately one-tenth the size of the United States, and one-fifth the U.S. population. As the U.S. digital economy continues to grow, FTC appropriations must similarly increase to help prioritize unfair and deceptive data practices or potentially enforce any future federal comprehensive privacy law. In addition, the agency could benefit from additional funding to conduct 6(b) studies on the effects of data brokers on competition in digital markets, especially for small- or medium-sized businesses that might not possess the data aggregation capabilities of dominant digital platforms. + +The Privacy and Civil Liberties Oversight Board (PCLOB) was created to oversee federal government surveillance for counterterrorism purposes, but it may be necessary to strengthen its role and resources to monitor commercial data brokerage transactions as well. The Electronic Privacy Information Center recently called on the PCLOB to examine the use of facial recognition technologies, data-driven fusion centers, and geolocation history from commercial data brokers. The PCLOB could also probe government contracts for social media analysis by private data miners. In addition, the board should prioritize oversight into any potential disparate impact of surveillance on marginalized communities. In 2020, U.S. representatives Anna Eshoo (D-CA), Bobby Rush (D-IL), and Ron Wyden (D-OR) asked the board to investigate federal government surveillance of Black Lives Matter racial equity protests across the United States. + +#### Short-Term Actions: Boundaries on both Data Brokers and Government Agencies + +_While purpose limitations may be effective for private companies, U.S. government agencies need boundaries on their access to personal information in all contexts — no matter their perceived legitimacy of use._ + +Data minimization is a core principle of commercial privacy; businesses should collect, retain, and share personal information only if necessary to provide a requested product or service. However, most privacy frameworks also recognize that businesses may need to process personal information for other legitimate reasons, such as to prevent cybersecurity breaches, detect harmful or illegal activities, or issue product recalls. While the GDPR’s legal bases for companies to process personal information are broad (for example, with individual consent, to carry out “legitimate” or “vital” interests, or to fulfill a “public task”), they still establish a basic structure of categorically or conditionally permitted data processing uses that could serve as a general model for other privacy frameworks. + +Purpose limitations could be effective in the context of the consumer-business relationship, but U.S. government agencies need hard rules like modernized warrant requirements to govern their access to personal information — regardless of the context or original basis for data collection. The U.S. government should not unduly compromise privacy and civil liberties, even if it aims to address a legitimate national security threat. This is particularly important given the sheer scale of data brokerage: some firms advertise access to billions of data points, and most inevitably relate to individuals who do not pose any public safety risks. In addition to warrant requirements, government agencies need clear data retention and minimization rules to prevent unlimited secondary uses or transfers of Americans’ personal information, particularly geolocation, biometrics, and communications. + +_Both companies and government agencies should follow specific legal processes to prevent biased or discriminatory outcomes stemming from digital surveillance._ + +Since historically marginalized communities have borne disproportionate consequences of surveillance, data brokers need formal procedures to promote civil and human rights. Just as medical and legal professionals have legal obligations to maintain client confidentiality, technology companies should bear duties to safeguard the equity, fairness, and security of their data processing and algorithmic outcomes — no matter if they develop or simply deploy the software. The United States has a body of federal and state civil rights law that prohibits some types of discrimination in specific contexts like employment, credit, or housing, but there is legal uncertainty around how pre-internet statutes apply to data brokerage activities. Therefore, Congress must explicitly recognize privacy as a fundamental civil and human right: no company should use or transfer data in ways that could create disparate impact or unequal digital participation based on factors like race, gender identity, country of origin, religion, sexual orientation, age, or disability status. + +There are ongoing debates around whether federal privacy legislation should include a private right of action, but it is important to note that many existing federal and state antidiscrimination statutes allow both individuals and government enforcers to sue companies for civil rights violations. By the same token, individuals should have a legal right to sue data brokers that collect, process, or share personal data in a manner that leads to discriminatory outcomes. On the government side, any federal or local agency that contracts commercial data brokers should undergo robust racial equity and ethics training and improve community engagement on these topics. Ultimately, though, government agencies need strict warrant requirements and public accountability over commercial data transactions to prevent abuse of power. + +In addition, all companies (including data brokers) and government agencies that either develop or deploy automated inferences should regularly audit their processes and outcomes for disparate impact by gender, race, age, disability, or religion. These risk and impact assessments could evaluate the type and scope of personal information processed, high-level demographic information of affected individuals, measures to ensure privacy and data minimization, and completeness of training datasets, particularly around highly sensitive decisions related to law enforcement or public benefits. Moreover, private companies and government agencies should be required to report their findings to Congress and the FTC, which can use the data to advance research on data brokers and inform future recommendations to prevent algorithmic bias or privacy violations. + +#### LONGER-TERM ACTIONS: OPPORTUNITIES FOR FUTURE DIALOGUE AND RESEARCH + +_Any new guardrails on U.S. government transactions with commercial data brokers must also safeguard individuals from the aggregation of “publicly available” information._ + +Americans should have a legal right to privacy in their personal information, regardless of whether they download mobile apps, post on social media networks, drive cars in public areas, or shop online. Several recent surveys suggest shifts in public attitudes toward privacy, although the majority of Americans still expect companies to safeguard personal information. A 2022 Morning Consult poll, for example, found that 92 percent of baby boomers, compared to 70 percent of Generation Z, expects companies to adhere to minimum privacy standards. As societal norms evolve in a digital era, it is possible for the conception of a “reasonable expectation of privacy” to change over time. Other traditional legal standards, such as the third-party doctrine, may lose relevance in a digital ecosystem powered by complex and nontransparent data transfers. Therefore, U.S. internet users need concrete privacy rights even in personal information that mobile apps and third-party data brokers exchange on the commercial market. + +Because public information receives fewer constitutional protections, U.S. government agencies have stretched their interpretation of the term to the furthest possible limits. For instance, the DOD and the CIA consider publicly available data to be any information “available to the public by subscription or purchase” — a binary definition that even the January 2022 ODNI report acknowledges to be outdated. Information should not be considered public if government authorities can access it only through commercial data brokers, which, in turn, must scrape it from millions of websites against their terms of service or purchase it from mobile apps. The ADPPA broadly exempts publicly available information from privacy requirements, including data from “a website or online service made available to all members of the public, for free or for a fee.” Yet, this language could potentially strip information from protections the moment it is posted online, even if it still poses privacy concerns. This definition might also include content that users do not voluntarily upload to the internet and are unable to retract, including images captured by surveillance cameras in public places, or facial recognition databases where a person appears in a photo background without their knowledge or consent. + +While the long-term understanding of publicly available information will continue to evolve alongside society, Congress and government agencies can adhere to some basic principles more immediately. First, publicly available data should encompass only information that is reasonably accessible to the general population without paywalls, subscriptions, or advanced engineering knowledge. For example, if ICE needs to pay Barbaricum $2.1 to 5.5 million over five years to scrape online social media data, then that information should not be considered publicly available. As one precedent, the Supreme Court held in Department of Justice v. Reporters Committee for Freedom of the Press (1989) that a person’s rap sheet should not be considered public information, even if available through some channels, because it was difficult to access and therefore “practically obscure.” + +Second, the definition of publicly available should be limited to content that individuals affirmatively choose to disseminate to a wide audience — and, unless it is a matter of significant public concern, they should be able to retract it at any time. For instance, content that a politician uploads to their public Twitter account with millions of followers might be considered widespread dissemination, but the majority of Americans might not reasonably expect data miners to scrape personal photos intended for tight-knit circles like friends and family. Even in public areas, the geographic movements of most Americans are also not issues of public concern, and individuals often do not voluntarily choose to share them and cannot delete them under U.S. federal law. Public availability should not automatically void all privacy protections either; basic privacy protections should apply unless data are particularly newsworthy or serve a significant societal benefit. + +_While data brokers need clear boundaries to prevent sales of sensitive personal information to adversarial individuals, companies, or governments, cross-border data flows are still vital to the United States and global economies._ + +As surveillance technologies advance, several governments, including the European Union and China, have introduced measures that promote data localization or otherwise restrict cross-border data flows, citing national security or privacy grounds. But data localization alone cannot prevent privacy violations and sometimes enhances domestic government access to sensitive personal information. Moreover, overly broad restrictions on data flows can disrupt online communications and commerce, especially since almost all modern businesses operate websites or apps, conduct electronic global transactions, and otherwise depend on international data flows. + +As the United States weighs various options to address national security risks posed by mobile apps like TikTok and data brokers, it is important to consider how blanket restrictions on cross-border data flows could create unintended long-term consequences. Data localization could prompt other countries to institute reciprocal limitations on the United States or weaken global negotiations on free flows of data in the future. U.S. businesses have already experienced significant uncertainty after the CJEU’s Schrems I and Schrems II decisions threatened to curtail transatlantic data flows. When France joined the United States in blocking TikTok on government-issued devices in March 2023, it also added U.S. apps like Twitter and Netflix to that list. If even close political and economic allies like the European Union and United States cannot maintain trust in data flows, then further normalization of data localization could cause a breakdown of commerce and communications across the global economy. Moreover, even if forced data localization for TikTok or future non-U.S. mobile apps might slow foreign governments from accessing those specific databases, it could simultaneously streamline U.S. government access or potential misuse. Instead of data localization, the United States should promote free flows of information among allies along the lines of the Data Free Flow with Trust framework proposed under Japan’s Group of Twenty (G20) leadership in 2019 — a process that will require ongoing multilateral dialogues and understanding. + +Some bills, like the Protecting Americans’ Data from Foreign Surveillance Act of 2023, propose to use export control laws to prevent certain categories of personal information from being transferred to select foreign countries. Tailored limitations like these could prevent all data brokers and private companies from selling exceptionally sensitive personal information abroad while maintaining overall cross-border data flows. In the end, though, comprehensive privacy measures are the best way to mitigate risk by reducing the amount of extraneous data available to foreign and domestic entities. All U.S. data brokers and private companies should follow certain fair information practice principles: minimizing data collection to specific purposes, deleting data after it is no longer necessary, allowing stronger transparency and oversight, and more. + +_Boundaries on data transfers must also balance values of free speech and expression._ + +An individual’s right to privacy can sometimes come into tension with First Amendment protections on free speech and communications, especially regarding dissemination of publicly available, aggregated, or de-identified information. In Sorrell v. IMS Health (2011), the Supreme Court struck down a Vermont law that prevented pharmacies from selling prescription information to data brokers for marketing purposes, stating it could violate legal standards of “discrimination in expression” and commercial speech. Hoan Ton-That, CEO of Clearview AI, has cited the First Amendment to defend the company’s indiscriminate scraping of photos on public-facing websites. Yet Clearview entered into a settlement agreement in ACLU v. Clearview AI (2022) to halt access to its facial recognition database to private businesses and individuals nationwide and to temporarily pause sales to both public and private entities in Illinois under the state’s Biometric Information Privacy Act. + +While the United States should avoid imposing overly restrictive limitations on information flows, stronger privacy protections can also promote values of free speech and expression. China’s surveillance laws demonstrate how forced censorship can also lead to self-censorship, as fear of government reprisal can prevent individuals from expressing themselves through public or private online channels. Closer to home, experts at the Brennan Center for Justice and Georgetown University’s Institute for Technology Law and Policy warn that social media web scraping by U.S. federal and local police could have a chilling effect on constitutionally-protected environmental, reproductive rights, and racial equity activism. In this manner, clear parameters on how U.S. government agencies collaborate with data brokers can safeguard individuals’ right to speak openly, particularly for historically marginalized communities that have been disproportionately subjected to surveillance based on their race, religion, income, or location. + +The First Amendment is strong but not absolute, as the government can impose tailored restrictions on speech to advance important interests like individual privacy. However, sales of public, aggregated, and de-identified information are an underdiscussed aspect of federal privacy legislation. Additional congressional investigations and hearings may be necessary to gather civil society input on possible restrictions without raising undue censorship concerns. Furthermore, as Cameron F. Kerry and John B. Morris Jr. point out, legislative findings will be important to clarify congressional intent on this matter, which could help any forthcoming federal privacy bill withstand future constitutional challenges. + +_As data collection and algorithmic analysis advance, Congress should thoroughly reevaluate conventional constitutional and statutory limitations on both compelled and voluntary disclosure of data to U.S. government agencies as a long-term objective._ + +In 2014, the White House published a report acknowledging + +> the laws that govern protections afforded to our communications were written before email, the internet, and cloud computing came into wide use. Congress should amend ECPA to ensure the standard of protection for online, digital content is consistent with that afforded in the physical world — including by removing archaic distinctions between email left unread or over a certain age. + +In addition to updating the ECPA to ensure consistent privacy standards across companies like data brokers, any forthcoming reauthorization of Title VII of the FISA Amendments Act should codify the EU-U.S. DPF into statute and consider modernized privacy safeguards. + +The failure to update the ECPA and FISA for the big data era has resulted in archaic distinctions such as the type of device or length of time a message has been stored. The ECPA assigns privacy protections based on categories like metadata or communications content, but since data brokers often derive algorithmic inferences from multiple sources, it is difficult to neatly label modern datasets by type. Title I of the ECPA, commonly referred to as the Wiretap Act, requires the FBI to obtain a “super warrant” to intercept certain real-time communications, but Section 702 of FISA allows the FBI to query incidental communications concerning U.S. individuals without a warrant. The Stored Communications Act mandates a warrant to access electronic messages stored for less than 180 days but only a subpoena or court order for those stored longer than that time frame, even as the increasing affordability of data storage leads individuals and private companies to retain messages for longer periods. + +While this report does not focus on compelled access requests under the ECPA and FISA, the rise of the data brokerage industry calls for a more holistic review of all forms of law enforcement access to private sector data. Congress can undertake this review by holding hearings and conducting investigations. The FTC reporting recommendations from subsection VIII (5) and (6) of this report would assist in this endeavor. Future discussions could also consider new statutory limitations on geofence or keyword warrants given their outsized potential to pose privacy or civil liberties risks to large numbers of individuals. + + +### Conclusion + +To summarize, stronger privacy guardrails on the commercial data brokerage industry would present both short- and long-term benefits for the United States. First, these could enhance the nation’s global reputation for data protection, which is essential to sustaining cross-border data flows and promoting economic stability for U.S. businesses. Even though many international dialogues like the EU-U.S. DPF continue to center around pre-Snowden compelled access to signals intelligence, instead of the rising prevalence of “voluntary” sales of personal information, clear boundaries on commercial data transactions could help build longer-term global confidence in both the U.S. public and private sectors. + +Stricter privacy measures are also vital to national security since data brokers can accumulate detailed personal information and transmit it abroad in ways that could advantage foreign adversaries. However, privacy is not only an economic and national security imperative; it is also an important human and civil right. There are moral and ethical grounds to both directly regulate the data brokerage industry and also reduce U.S. government dependence on it, particularly in light of racial profiling patterns in law enforcement. Without explicit protocols to restrict their interactions with U.S. government agencies, commercial data brokers risk reinforcing the disproportionate oversurveillance of individuals by factors like race, religion, or income. + +Lastly, there are geopolitical implications to consider. By limiting domestic government surveillance, the United States can demonstrate the importance of privacy values for the rest of the world. In turn, stronger U.S. privacy protections could provide a meaningful starting point for longer-term multilateral dialogues on limiting non-U.S. government transactions with data brokers. While the CCP should be held accountable for mass surveillance of its own citizens, particularly the Uyghur and Kazakh communities, the United States is in a weaker position to counteract China when it has made unjust arrests and deportations using personal information acquired from millions of Americans without a warrant. As technology continues to advance, big data will become increasingly central to economics, national security, and human rights. Therefore, it is crucial to set strong precedents and smart policies for data brokers now in order to positively shape their interactions with government agencies for years to come. + +--- + +__Caitlin Chin__ is a fellow at the Center for Strategic and International Studies (CSIS), where she researches the impact of technology on geopolitics and society. Her current research interests include the relationships between data brokers and government agencies, the evolution of news in a digital era, and the role of technology platforms in countering online harmful content.