Third-Party Code Tracking and U.S. National Security
Justin sherman
While much of the American media and national security conversation on data and national security has focused on direct collection of information on U.S. citizens (e.g., see the threads of legitimate concern in the TikTok debate), there are many other vectors through which foreign actors can achieve those same data acquisition objectives. Foreign actors can buy U.S. citizen data from data brokers with virtually no restrictions. They could also use third-party advertising networks: As highlighted in a recent Lawfare article, citing reporting by VICE, “there are allegations that a number of companies use the [real-time-bidding] system [for online ad buying] to collect data that they then sell to government agencies, including U.S. law enforcement and security agencies.” These bidders collect data about the many individuals viewing online ads to conduct these bids in the first place.
Foreign actors can also collect national security-compromising data through third-party code delivery online. Third-party code runs in browsers when a website has plug-ins on its page; third-party code also runs attached to software applications that need to make use of another developer’s code or data to function. There are many ways that third-party code can introduce mechanisms to track not just where users go on the internet, but other information passing through and generated by a user’s device—including, potentially, phone contacts, text messages, GPS location data, email activity, photo storage, and much more.
This data collection is often overlooked in the broader policy conversation about data flows and risks to U.S. citizen privacy and U.S. national security. There is a range of potential policy discussions to be had about this risk set, but this post will focus specifically on foreign intelligence organizations potentially using these vectors to gather information on U.S. persons with current or future national security-sensitive roles.
This is of particular importance for at least five main reasons. First, targeted organizations may overlook these potential data-collection vectors and as such may not be monitoring for security risks through third-party code delivery. Second, targeted organizations, even if they are aware of these vectors, may lack the necessary capacity—whether in available budget, technical resources, or personnel—to monitor for and mitigate against these risks effectively. (Research conducted as part of the Duke Privacy and Democracy Project’s work with The Media Trust has underscored this point.)
Third, the data collected by monitoring users’ internet activity and their internet browsing devices has great depth; internet activity can be highly sensitive, including but not limited to everything from searches about travel plans to clicking on friends’ social network pages to the viewing of pornographic content. It can also provide insight into an individual’s lifestyle in ways perhaps not immediately thought of as sensitive in an intelligence context, such as with data on an individual’s online financial habits. Fourth, data potentially collected through third-party code delivery online also has great breadth. Internet browsing data can provide insight into a range of personal activities, and monitoring users’ internet activity and internet-browsing devices can also yield a range of related metadata—such as time of activity, location of activity, file downloads, etc. Other data collected from internet-connected devices can yield a plethora of other data points such as GPS location history, text and email communications, and phone contacts. This could all prove useful for a range of intelligence and counterintelligence activities.
Fifth and finally, it does not require extremely sophisticated capabilities to collect data on U.S. persons in this fashion. Sophisticated foreign intelligence services would, in fact, very likely have little problem architecting such a setup. Third-party code is run frequently on many websites through ads and other plug-ins. Third-party code is also a frequent feature of popular software applications. Foreign actors could monitor devices through third-party code they created themselves, or they could tap into the number of other third-party code developers already running their code on users’ devices. They could also participate in online ad auctions and, in the process, get access to information on ads that users view. Not to mention they could simply purchase data collected by third-party code developers; there are virtually no restrictions in US privacy law on this practice, and developers of an application may not closely scrutinize the third-party advertising and other plug-ins with whom they are sharing user information.
So, which U.S. organizations and U.S. individuals might be targeted with this kind of collection, and why?
Ostensibly, at least a couple of criteria would have to be met: Individuals either hold national security-sensitive positions now (e.g., federal employees, security-cleared contractors) or will likely hold them in the near future. Those individuals are using devices—whether at home, at a worksite, out in the field on work assignment, or elsewhere—that can be accessed via the open internet. The activities in which those individuals are engaging on those devices is potentially useful in an intelligence context (e.g., browsing activity at work and at home). And foreign actors looking to collect and leverage these kinds of data can use third-party code delivery with relative ease.
Take the hypothetical example of cadets at a prestigious military academy. There is a reasonably high likelihood that at least several members of any given academy graduating class will occupy key military and defense positions in the future. By the nature of modern higher education, those individuals would certainly be using devices connected to the open internet for a range of educational and personal purposes; certainly, younger generations’ high levels of internet activity arguably makes this more likely by the year. The activities in which those individuals are engaged on those devices could certainly be useful in an intelligence context, including but not limited to for collecting information on the individual’s political beliefs, online shopping habits, search activity, and social media network interaction. In this context, third-party code delivery would allow foreign actors to collect this kind of intelligence at scale and more efficiently than with other forms of surveillance. Therefore, foreign actors might have strong incentives to invest in this practice.
For the U.S. government, this presents a complicated set of legal, economic, and security challenges. The ability to use third-party Application Programming Interfaces (APIs), Software Development Kits (SDKs), and other code bases is critical to modern software development and deployment. Reflective of broader problems in cybersecurity, companies may not effectively screen the third-party code they are using or allowing to be run on user devices. But left unchecked, this third-party code delivery provides a potentially valuable source of intelligence collection for foreign governments.
Government agencies, military academies, and other such organizations should implement better protections against third-party code delivery and pay more attention to the range of third-party code developers whose code may run on a device as part of apps or websites. The broader regulatory response, though, must be situated in a broader conversation about the data brokerage and third-party code ecosystem. There needs to be increased accountability for ad networks that facilitate auctions. Working with and/or incentivizing networks to ensure they screen and verify participants in auctions would raise the barrier to entry for foreign intelligence agencies.
More broadly, however, it is not realistic for the US government to focus specifically on limiting foreign access to data on US persons with national security-sensitive jobs when the internet economy itself is founded on surveillance. For US citizens to be adequately protected against contemporary online surveillance, no matter the entity in question, Congress must pass a strong federal privacy law then backed up by robust executive branch enforcement capabilities.
Justin Sherman (@jshermcyber) is a cyber policy fellow at the Duke Tech Policy Lab, where he directs data brokerage research for Duke’s Privacy & Democracy Project. He would like to thank David Hoffman and Harrison Grant for feedback on earlier versions of this post.