The fact that the counterintelligence people—one that comes to mind was a guy named Peter Strzok who was Deputy Assistant Director of the FBI's Counterintelligence Division—that they weren't cashiered and criminally investigated for their failures during the twenty-teens seems rather amazing.
From American Affairs Journal, volume IX, number 2/Summer 2025:
Data-Broke: U.S. Tech Firms’ Counterintelligence Dilemma
Nearly a decade has passed since the breach of the U.S. Office of Personnel Management (OPM) by Chinese state-backed hackers in the spring of 2015. That the operation netted Beijing the detailed backgrounds and personal data of over twenty million federal employees, clearance-holders, and applicants, as well as that of their co-habitants and spouses, constituted one of the most damaging counterintelligence breaches in U.S. history. Assessing the loss, former Central Intelligence Agency (CIA) and National Security Agency (NSA) chief Michael Hayden offered a blunt, sobering take: “It remains a treasure trove of information that is available to the Chinese [Communist Party] until the people represented by that information age off. There’s no fixing it.” In his estimation, the impact of the breach would take a generation or more to fully subside, until the youngest members of the federal workforce at that time ultimately retired.1
Over the following decade, it would become clear that such counterintelligence hazards would hardly subside at all for reasons that were not yet fully evident, but still perhaps predictable. The aggregation of personal and location data on American consumers, including military service members, intelligence officers, national security officials, and contractors, would become part and parcel of the data-driven advertising behemoth that underpins the modern digital economy. While the threat of sophisticated cyber breaches into sensitive datasets remains, another trend is both an addition and contributor to the hacking risk: there is little need to steal through cunning espionage what can be obtained through little cost or effort in a vast and open data marketplace.
The question is whether such a status quo can be sustained without causing irrevocable damage to the counterintelligence interests of the United States. Can consumer data be treated as a “strategic resource,” as the most recent National Counterintelligence Strategy asserts, from both the commercial and security perspectives simultaneously?2 Or will one necessarily come at the expense of the other? As the age of “Big Data” and advances in computing have birthed the Artificial Intelligence era, these questions require urgent attention from policymakers. In what follows, we argue that they have, indeed, at critical points come into underappreciated but serious tension.
From OPM to Equifax to Salt Typhoon, the issue is now less that a single sensitive puzzle piece might be collected by U.S. adversaries but that a holistic mosaic has already been aggregated: that a vivid and detailed picture of U.S. military, intelligence, and national security rank-and-file personnel is coming into view for any sophisticated adversaries who care to look.
Military Jogging Routes and AdTech Targeting Packages
It’s no secret that the entities that collect and store people’s data are vulnerable to hacking. What is far less understood is the degree to which companies building and managing smartphones, laptops, mobile apps, websites, and myriad other digital technologies and interfaces all collect, aggregate, analyze, and share people’s information. Jogging enthusiasts and open-source intelligence researchers brought this problem to the fore in 2018 when they revealed that Strava, a software application linked to FitBit devices, had been publicly posting the geolocations of its users. This oversight enabled curious online sleuths to watch U.S. military forces and intelligence officers in countries around the world as they jogged around forward operating bases and visited, presumably, safe houses.3 While hardly a responsible privacy practice (even average runners might find their total run history, with timestamps, made available online without a password disturbing), what would have been an obvious, serious breach in a government context was the product instead of shockingly widespread industry data practices.
Corporations that are even less understood accelerate this personal data collection, aggregation, and analysis further. Companies that manage real-time bidding networks—algorithmically run online auctions for other companies to buy “ad space” on an app, website, and so forth in order to show people ads—make reams of personal data available to countless entities sitting in the virtual auction house, on a constant basis, every single day.
Data brokers, those companies in the business of aggregating and selling people’s data, likewise root their business, and as such their profit margins, on repeatedly selling information they’ve bought, compiled, and inferred to a wide range of buyers, largely at their own discretion.
Connected devices used by American consumers now routinely come with third-party software installed which transmits information about users, activity, and location to the digital advertising market—data brokers and bidding exchanges—to be packaged, traded, and sold. And companies that want to target people with particular messages, and then collect data on their responses, can leverage adtech companies to profile and reach individuals.
The prodigious volumes of data both collected and publicly available on data markets illustrate the remarkable extent to which Americans’ personal information is rendered vulnerable to being hacked, stolen, and compromised. This fact alone should put OPM-style hacks into perspective. As NSA General Counsel April Doss wrote in 2020, governments pose but one facet of the challenge: “Data collected by national security programs [have come to] pale in comparison to the exquisitely detailed user profiles that are being amassed” either by, for, or on behalf of the U.S. tech sector.4
From Dating Apps to General Motors
A host of real-world events and civil society investigations from the post‑OPM decade illustrate why the explosion of commercially available Big Data complicates and accelerates the counterintelligence dilemma facing the United States. Researchers have long demonstrated the ease of identifying, targeting, and even inducing U.S. and allied military service-members through their use of social media, dating, and messaging apps.5 Their findings highlight the already high risks posed by poor organizational and operational security in the digital era.
More recently, a group of journalists outlined how even the most conscientious users, including those playing sensitive roles in government, intelligence, or the military, would be hard-pressed to extricate themselves from the digital ecosystem hard-wired into their devices. The team accessed geolocation and related data from in and around a U.S. military installation in Germany, one which is said to house, among other things, elements of America’s nuclear arsenal and intelligence collection platforms. Their assessment is alarming: “Not only is [such] data collection likely capable of revealing military secrets, it is essentially unavoidable at the personal level. . . service members’ lives being simply too intertwined with the technology permitting it.”6
Attempts to cordon off specific locales from such data-harvesting are unlikely to alleviate such counterintelligence concerns. The vast majority of modern smart devices require some degree of geolocation data to function properly. Even if tech companies were prohibited from collecting and selling geolocation around specific sensitive facilities, the prohibition would fail to cover everywhere else affiliated personnel travel, everyone else they associate with, and everything else they do.7 U.S. law generally requires an affirmative opt-in from users to collect and sell geolocation data, but this appears to serve more as a speed bump (or speeding ticket) rather than an adequate barrier against the targeting of U.S. officials and installations.8 Just as the average citizen flies past the privacy policy and terms of service briefly popped onto their screens, clicking “agree” without so much as a substantive glance, so, too, do many U.S. government affiliates, rendering their supposed opt-ins just as illegitimate in practice. The Federal Trade Commission (FTC) has only historically taken a small number of enforcement actions against violators, most recently against General Motors.9 Such actions, however, are mostly designed to bring offending organizations into full (or stricter) compliance with the law, while any punitive fines for unscrupulous activity ($51,744 per violation) are likely insufficient to serve as a deterrent in the broader multi-billion dollar digital advertising industry.10
The inability or unwillingness of the industry to police itself essentially means the data brokerage ecosystem can only be as ethically or legally respectful of consumer privacy as its least scrupulous participants. As legal scholar Andy Wang argues, “The magnitude of harm arising from one broker’s activities depends on what data other brokers in the network are selling.”11
Unlike tangible goods, data is an endlessly duplicable, non-exhaustible, and non-rivalrous good. A “tragedy of the commons” thus prevails: if one broker accumulates and sells nonconsensual or otherwise protected data, the compliance efforts of others can be mooted. Compounding the issue is that so-called know your customer (KYC) practices are either nonexistent or inconsistently applied throughout the data brokerage industry. According to a team of scholars from Duke University, “A malicious actor could easily lie their way around many data brokers’ lax KYC controls, or simply find a broker with virtually no KYC practices whatsoever.”12
Meanwhile, the promise that the data collected and aggregated on U.S. citizens can be safely and irreversibly “anonymized” has been repeatedly debunked as wishful thinking by researchers. For instance, a 2019 study at Imperial College, London, drew on just fifteen demographic attributes to reidentify U.S. citizens from an anonymized dataset, concluding that a composite picture of 99.98 percent of Americans could likewise be constituted, “seriously challeng[ing] the technical and legal adequacy of the de-identification release-and-forget model.”13 Nordic academics in 2021 likewise found that a year’s worth of usage data by 3.5 million people from as few as four mobile apps was sufficient to reidentify 91.2 percent of them by cross-referencing publicly available information.14 “Americans are the easiest to re-identify,” the authors noted, raising the stakes in a society where only a small handful of companies control the entire mobile app ecosystem.
Endless hype cycles about AI and the future of the digital economy only further accelerate companies’ efforts to collect vast amounts of information, aggregate and analyze disparate datasets, and monetize and sell data previously collected for a limited purpose. In other words, they accelerate the collection and dissemination of what is, at the end of the day, effectively exploitable intelligence on U.S. assets and personnel.
Protectionism, AI Competition,
and Strategic VulnerabilityIn 2025, national-level economic planning and industrial policy have largely shed the stigma that once surrounded them. As competition with China continues to intensify and a second Trump administration takes its stride, all eyes are on a U.S. tech sector that has achieved an almost mythical strategic significance. Beyond their innovative capacities, the U.S. federal bureaucracy and military-industrial complex have become widely dependent upon—if not inextricably linked with—the major tech multinationals, such as Microsoft, Google, Amazon, Palantir, Starlink, OpenAI, and others. The continued success of these firms is thus considered as much an issue of national security (however spurious those claims may be) as one of geoeconomic vitality....
....MUCH MORE
If interested here is a series of articles from Foreign Policy to which we linked in January 2021:
The Unbelievable Failure Of The CIA And The Intelligence Community Regarding China
This is part II of a three part essay from Foreign Policy. We linked to part I in January 2's: Data and Money and Death: "China Used Stolen Data to Expose CIA Operatives in Africa and Europe".China Beats the CIA Pt. III: "Tech Giants Are Giving China A Vital Edge in Espionage"