Biden Bans Rival Nations From Buying Sensitive US Data—Good Luck

US president Joe Biden will sign an executive order on Wednesday aimed at preventing a handful of countries, including China, North Korea, and Russia, from purchasing sensitive information about Americans through commercial data brokers in the United States.

Administration officials say categories of sensitive data, including personal identifiers, precise location information, and biometrics—vital tools for waging cyberattacks, espionage, and blackmail operations against the US—are being amassed by what the White House is calling “countries of concern.”

Biden administration officials disclosed the order to reporters in advance during a Zoom call on Tuesday and briefly took questions, on the condition that they not be named or referred to by job title.

The order will have few immediate effects, they said. The US Justice Department will instead launch a rulemaking process aimed at mapping out a “data security program” envisioned by the White House. The process affords experts, industry stakeholders, and the public at large an opportunity to chime in prior to the government adopting the proposal.

White House officials said the US Attorney General would consult with the heads of the Department of State and Department of Commerce to finalize a list of countries falling under the eye of the program. A tentative list given to reporters during Tuesday’s call, however, included China, Cuba, Iran, North Korea, Russia, and Venezuela.

The categories of information covered by the program will include health and financial data, precise geolocation information, and “certain sensitive government-related data,” among others, the officials said. The order will contain several carve-outs for certain financial transactions and activities that are “incidental” to ordinary business operations.

It’s unclear to what degree such a program would be effective. Notably, it does not extend to a majority of countries where trafficking in Americans’ private data will ostensibly remain legal. What’s more, it’s unclear whether the government has the authority or wherewithal (outside of an act of Congress) to restrict countries that, while diplomatically and militarily allied with the US, are also known to conduct espionage against it—close US ally Israel, for instance, which the US accused in 2019 of planting cellphone-spying devices near the White House and has served as an international marketplace for illicit spyware; or Saudi Arabia, which availed itself of that market in 2018 to covertly surveil a Washington Post contributor, later abducted and murdered by a Saudi hit squad.

If China, Russia, or North Korea moves to obtain US data from a third party in one of the more than 170 countries not on the US government’s list, there may be little to prevent it. US data brokers need only take steps to ensure overseas customers follow “certain security requirements” during the transfer, many already required by law.

The restrictions imposed by the executive order, said a White House official, are meant to protect against “indirect transfers of data.” But in effect, that means data brokers simply need to obtain “some type of commitment”—an “understanding”—from overseas customers regarding the possibilities of the data being sold or transferred down the line.