(27 January 2022, approved for release by ODNI on 5 June 2023)

(U) EXECUTIVE SUMMARY

(U) There is today a large and growing amount of what the U.S. Intelligence Community (IC) refers to as “Commercially Available Information” (CAI). As the acronym indicates, and as we use the term in this report, CAI is information that is available commercially to the general public, and as such, is a subset of publicly available information (PAI). We do not use the term CAI to include, and we do not address in this report, commercial information that is available exclusively to governments. The volume and sensitivity of CAI have expanded in recent years mainly due to the advancement of digital technology, including location-tracking and other features of smartphones and other electronic devices, and the advertising-based monetization models that underlie many commercial offerings available on the Internet. Although CAI may be “anonymized,” it is often possible (using other CAI) to deanonymize and identify individuals, including U.S. persons.

(…)

Today, in a way that far fewer Americans seem to understand, and even fewer of them can avoid, CAI includes information on nearly everyone that is of a type and level of sensitivity that historically could have been obtained, if at all, only through targeted (and predicated) collection, and that could be used to cause harm to an individual’s reputation, emotional well-being, or physical safety.

(…)

(U) A May 2014 report from the Federal Trade Commission (FTC) provides a similar account:

(U) Data brokers collect data from commercial, government, and other publicly available sources. Data collected could include bankruptcy information, voting registration, consumer purchase data, web browsing activities, warranty registrations, and other details of consumers’ everyday interactions.

(…)

1.3. (U) Examples of CAI. We do not attempt a comprehensive description of the scope and scale of data that are available as CAI, or the relevant markets, in part because they are so large and so dynamic. However, a few examples of CAI offerings will illustrate the current nature of available offerings:

• (U) “Thomson Reuters CLEAR is powered by billions of data points and leverages cutting-edge public records technology to bring all key content together in a customizable dashboard.”

• (U) LexisNexis offers more than “84B records from 10,000+ sources, including alternative data that helps surface more of the 63M unbanked/underbanked U.S. adults.”

• (U) Exactis has “over 3.5 billion records (updated monthly)” in its “universal data warehouse.”

• (U) PeekYou “collects and combines scattered content from social sites, news sources, homepages, and blog platforms to present comprehensive online identities.”

(…)

As the FTC explained in its May 2014 report:

(U) Data brokers rely on websites with registration features and cookies to find consumers online and target Internet advertisements to them based on their offline activities. Once a data broker locates a consumer online and places a cookie on the consumer’s browser, the data broker’s client can advertise to that consumer across the Internet for as long as the cookie stays on the consumer’s browser. Consumers may not be aware that data brokers are providing companies with products to allow them to advertise to consumers online based on their offline activities. Some data brokers are using similar technology to serve targeted advertisements to consumers on mobile devices.

(…)

2.2. (U) Examples of CAI Contracts. The IC currently acquires a large amount of CAI. Unclassified IC and other contracts for CAI can be found at Sam.Gov, a U.S. government website that allows searching by agency or sub-agency and by keywords, among other things. By way of example only, this website shows that the following agencies have, have had, have considered, or are considering the following contracts or proposals related to CAI:

• (U) The Federal Bureau of Investigation (FBI) with ZeroFox for social media alerting (15F06721P0002431)

• (censored)

• U) The Defense Intelligence Agency (DIA) for social media reports on individuals who are seeking a security clearance (HHM402-16-SM-CHECKS), and with LexisNexis for “retrieval of comprehensive on-line search results related to commercial due diligence from a maximum number of sources (news, company, public records, legal, regulatory financial, and industry information),” among other things (HHM402-21-Q-0094)

• (U) The U.S. Navy with Sayari Analytics, Inc. for access to its database that “contains tens of thousands of previously-unidentified specific nodes, facilities and key people related to US sanctioned actors including ‘2+3’ threats to national security” (N0001518PR11212)

• (U) Various offices within the Treasury Department for access to Banker’s Almanac (RFQ-FIN-55100-21-0010)

• (U) The Department of Defense (DOD) for access to Jane’s online (W31P4Q17T0009)

• (U) The Coast Guard with Babel Street for “Open Source Data Collection, Translation, Analysis Application” (70Z08419QVA044).

(U) In addition, DIA has provided the following information about a CAI contract in an unclassified and publicly-available paper sent to Congress on January 15, 2021:

(U) DIA currently provides funding to another agency that purchases commercially available geolocation metadata aggregated from smartphones.

……………………………………