Why you can trust ZDNET : ZDNET independently tests and researches products to bring you our best recommendations and advice. When you buy through our links, we may earn a commission. Our process

'ZDNET Recommends': What exactly does it mean?

ZDNET's recommendations are based on many hours of testing, research, and comparison shopping. We gather data from the best available sources, including vendor and retailer listings as well as other relevant and independent reviews sites. And we pore over customer reviews to find out what matters to real people who already own and use the products and services we’re assessing.

When you click through from our site to a retailer and buy a product or service, we may earn affiliate commissions. This helps support our work, but does not affect what we cover or how, and it does not affect the price you pay. Neither ZDNET nor the author are compensated for these independent reviews. Indeed, we follow strict guidelines that ensure our editorial content is never influenced by advertisers.

ZDNET's editorial team writes on behalf of you, our reader. Our goal is to deliver the most accurate information and the most knowledgeable advice possible in order to help you make smarter buying decisions on tech gear and a wide array of products and services. Our editors thoroughly review and fact-check every article to ensure that our content meets the highest standards. If we have made an error or published misleading information, we will correct or clarify the article. If you see inaccuracies in our content, please report the mistake via this form.


The US government buys your user data. Here's what it does with it

A declassified report confirms for the first time that the US government purchases Americans' personal information from third-party data brokers. Here's what you need to know about it.
Written by Jada Jones, Associate Editor
woman using phone
Getty Images/d3sign

A recently declassified government report confirms for the first time that the US intelligence community purchases commercially available information on Americans. The Office of the Director of National Intelligence released the report detailing how the US government buys and uses personal data and how foreign adversaries could wind up with that data as well.

The report goes on to outline the current legal framework for privacy laws in the US and details how the widespread availability of user data could allow the government to violate Americans' civil liberties.

Also: Five easy steps to keep your smartphone safe from hackers

Unlike the EU, the US does not have data protection laws to govern the sharing or selling of Americans' personal data, making data acquisition a lucrative industry. Federal laws do apply to specific data like medical (HIPPA), student records (FERPA), consumer credit  (FCRA), VHS rentals (VPPA), among others. But no US laws give Americans the right to access, delete, or control the movements of their personal information, which could create privacy and national security risks. User data is collected via smartphone apps, websites, and vehicles that accumulate large amounts of location data.

Because smartphones and internet use are highly ingrained into everyday life, it's almost impossible to stop your electronic devices from constantly releasing your personal information. The lack of privacy laws allows companies and the government to have full reign over user data, which is why this report was declassified, per US Senator Ron Wyden's request.

What is commercially available information?

In the ODNI's report, commercially available information (CAI) is defined as "information that is available commercially to the general public, and as such, is a subset of publicly available information." This information can include your location, credit history, insurance claims, criminal records, employment history, income ethnicity, purchase history, and personal interests.

Also: Cybersecurity 101: Protect your privacy from hackers, spies, and the government

Although apps and websites will disclose that some of this information is not linked to your identity, the report says it's possible to "deanonymize [anonymous data] and identify individuals, including US persons," via reverse engineering.

Because CAI is available commercially, the information can be acquired from a third-party data broker, typically in exchange for money. The report defines these data brokers as entities maintaining sophisticated databases full of US citizens' user data.

But data brokers also obtain publicly available information, such as voting registration, bankruptcy information, and web-browsing activity, from cookies. Usually, citizens are unaware that this information is public and that data brokers obtain it.

Also: How to delete yourself from internet search results and hide your identity online

Data brokers rely on website registration and cookies to track consumers' online activity and sell the data to advertisers to target consumers with ads. This business practice makes user data a highly valuable commodity.

How does the US government use CAI?

The report notes that CAI can be useful to US intelligence agencies when it's obtained in isolation, combined with other publicly available information, or when it's reviewed by humans or machines.

The ODNI's report states that the US intelligence community acquires a significant amount of CAI for "mission-related purposes" and sometimes uses social media data to aid in these missions.

The US intelligence community acquires CAI via contractual agreements, and some of these contracts remain classified. Of the unclassified contracts, six are detailed in the report, and one remains redacted.

Also: Were you caught up in the latest data breach? Here's how to find out

The Defense Intelligence Agency (DIA) funds another agency that buys geolocation metadata collected from smartphones. The DIA then acquires the location data and processes whether the data is US-based location data or foreign-based location data. CAI is also obtained by the FBI and its law enforcement authorities.

The US Navy, Treasury Department, Department of Defense, and Coast Guard have had contracts to acquire CAI. In the past, the IRS tried to purchase location data to track tax fraudsters, and Homeland Security purchased the same type of data to track undocumented immigrants.

Can CAI be used by foreign actors?

According to the report, a study conducted by Duke University found three data brokers -- who advertise their services -- can provide data identifying US military personnel. Data of this kind could be used by foreign actors to target prosecutors, judges, politicians, diplomats, and intelligence operatives.

CAI, if purchased or stolen by the wrong people, could also help enemies interfere with US elections.

Also: Best secure browsers to protect your online privacy

Although CAI is publicly available, it can be used to uncover sensitive information about an individual and encroach on their right to privacy. According to the EU's data privacy provisions, known as the General Data Protection Regulation, sensitive information includes someone's race, ethnicity, politics, religion, and biometric data.

All of those examples can and are taken from US citizens and collected by data brokers.

What does all of this mean for your personal data?

Most of your personal data is floating around on the internet and in the hands of data brokers. Sometimes, these brokers' databases are hacked, and your data is stolen and sold on the dark web. In other instances, your data is acquired from brokers by government agencies.

Although it's possible to decline when apps and websites request access to your data -- including your location, contacts, and media --  it's almost impossible to enjoy a streaming service or social media platform without relinquishing your email address, phone number, or physical address.

Also: The best password managers to safely store your logins

The ODNI stressed the importance of calling on the federal government to strengthen the legal framework for the protection of American user data. These protections include keeping data from foreign adversaries, limiting the amount of data private companies can collect, and checking the government's powers to ensure it does not violate the rights of Americans.

Editorial standards