Congress moves to tighten oversight of commercial data in intelligence operations

The U.S. House of Representatives just passed version of the Fiscal Year 2026 Intelligence Authorization Act (IAA) has buried in its dense language a signal that lawmakers are no longer content to let the Intelligence Community’s (IC) purchases of commercially available information (CAI) from data brokers escape scrutiny.

The move comes on the heels of a national reckoning on data brokers and digital rights. In July, the Senate Judiciary Subcommittee on Privacy, Technology, and the Law heard testimony about how Americans not only are being systematically stripped of their digital privacy, but that data brokers pose a direct threat to the lives of the individuals about whom they collect and sell information.

The House IAA would require the Director of National Intelligence (DNI) to designate an official to oversee acquisitions of CAI, produce annual briefings for Congress, and impose tighter budgetary controls.

The House bill would “ensure IC entities responsibly purge commercially available information and publicly available information pertaining to U.S. persons’ information incidentally gathered,” said House Permanent Select Committee on Intelligence Chairman Rick Crawford.

For years, agencies have quietly bought CAI that once would have been collected through subpoenas or warrants. Now, amid new revelations that airlines sold more than five billion ticket records to the government for warrantless searches through the Airlines Reporting Corporation (ARC), the airlines-owned data broker, Congress is moving to put guardrails around practices that critics say erode civil liberties and circumvent constitutional protections.

At the heart of the House bill is a push for centralized control. A newly designated official inside the Office of the Director of National Intelligence (ODNI) will be charged with deconflicting purchases, preventing duplication, and maximizing interoperability among the IC’s 18 federal agencies.

Data vendors will be required to provide clear specifications, and acquisitions must meet common standards for quality and performance.

Beginning in May 2027, the designated ODNI official would be required to annually brief congressional intelligence committees on the scope and rationale of commercial data purchases, ensuring that elected representatives are no longer kept in the dark.

The bill also requires that budgetary materials for fiscal years 2027 through 2029 explicitly account for acquisitions of commercially available information, effectively forcing agencies to show their work when it comes to how much they are spending and why.

The House provisions align with, but differs from the Senate’s version of the Intelligence Authorization Act. The Senate bill requires each element of the IC to submit annual reports on its use of what it terms “sensitive commercially available information.”

These reports must disclose the volume of data acquired, the sources and vendors providing it, the legal authorities invoked, and the mission needs served. Agencies are also directed to assess whether datasets contain bias that could distort analysis and to detail safeguards for retention, access, and deletion.

In addition, the DNI must publish a biennial public report summarizing the Intelligence Community’s policies for handling such data. It is a step toward transparency in an area where public accountability has been virtually absent.

The urgency behind these reforms comes amidst disclosures that airlines sold the government a staggering volume of passenger records spanning years of travel. These records, purchased without judicial oversight, gave agencies the ability to sift through itineraries, travel companions, and global movement patterns with a level of detail rivaling government-run watchlists.

For privacy advocates, the revelation is proof of what they had long feared, which is that agencies are using commercial markets to assemble surveillance tools far beyond the reach of traditional warrants. For lawmakers, the sale of such information risks leaving commercially available information outside robust oversight structures.

The implications of the airlines’ sale of ticket purchase data are profound. Passenger Name Records, or PNRs, contain not just destinations and flight times, but also contact information, payment details, frequent flier numbers, and sometimes even special service requests that can reveal medical or religious needs.

When aggregated across billions of tickets, the dataset becomes a powerful instrument for mapping social networks, identifying travel patterns, and targeting individuals. Disparate commercial anonymized datasets can be de-anonymized when combined with other datasets.

This process relies on quasi-identifiers like location, gender, birth date, or device IDs, which, when cross-referenced with other information, can uniquely identify people. For example, a combination of birth date, gender, and ZIP code can be enough to pinpoint an individual, even in anonymized datasets.

While the government has long maintained systems for screening international travelers, the purchase of bulk domestic and international airline records from carriers raises questions about whether intelligence and law enforcement agencies have been building parallel databases outside statutory frameworks. It is precisely this kind of sidestepping that the House and Senate are now trying to rein in.

The Intelligence Community has leaned on the commercial data market in part because it is faster and sometimes cheaper than building proprietary collection systems. Commercial satellite imagery, for example, has allowed analysts to track troop movements in near real time. Location feeds from cell phones have been used to monitor foreign adversaries.

But the line between foreign and domestic quickly blurs. Once data enters government systems, it can be queried and cross-referenced in ways that sweep in Americans. Without strict controls, the same databases that help identify a Russian arms shipment could also be used to chart the movements of U.S. citizens without a warrant.

The sale of airline records only deepens those concerns, since most of the data involves Americans engaged in routine travel.

What makes the current debate different is that the data in question originates in the commercial sector, where privacy protections are often thin and where brokers are eager to sell. That puts Congress in the position of regulating not just the government’s activities, but also the contours of a data market that is worth billions of dollars annually.

The House’s approach is to create management and budgetary controls that will surface duplications and provide a clearer picture of the scale of acquisitions. The Senate’s approach is to force transparency through detailed reporting and public disclosures.

If both provisions survive a conference committee to reconcile the two bills’ differences, the Intelligence Community will face a one-two punch – new centralized management and budget oversight on the one hand, and new obligations to report and disclose on the other.

For privacy advocates, that combination is the first meaningful step toward accountability in a generation. For intelligence officials, it is a recognition that while commercially available data is here to stay, its use must be defended openly.

Vendors, too, will feel the impact. The House bill requires coordination of requirements with vendors, meaning private firms can no longer rely on disparate agencies issuing fragmented requests. The Senate bill extends oversight to vendor practices themselves, obligating agencies to report on the security architecture of contractors and the terms of their licenses.

For airlines, the scrutiny could be particularly intense. Having sold billions of ticket records, carriers may be forced to explain what contractual restrictions, if any, are put on government use of the data, and whether they put safeguards in place to prevent abuse.

For an industry already under pressure from regulators and the flying public, congressional oversight could add a new layer of accountability.

Still, there are limits to what the new provisions can accomplish. Neither the House nor the Senate version bans the purchase of commercially available information, and neither requires judicial approval before agencies can buy sensitive datasets.

Instead, both bills adopt an oversight model that seeks to make the practice more transparent and better managed. Agencies will still have wide discretion to decide what to buy and how to use it, but they will have to be prepared to defend those decisions before Congress. If abuses come to light, lawmakers may be forced to return with sharper restrictions.

The Intelligence Community insists that commercially available information is indispensable. Officials argue that without access to broad datasets, the United States risks falling behind adversaries who face fewer legal constraints.

But the revelation about airline ticket sales complicates that narrative. It suggests that in pursuit of intelligence advantage, agencies may have reached further into the lives of ordinary Americans than many realized. That puts pressure on Congress to not only oversee but to decide where the line should be drawn.

The first test of the new provisions will come quickly. With the House bill passed and the Senate’s version advancing, a conference committee will soon decide how to reconcile differences.

If the House’s management and budget controls are included, the DNI will need to stand up new oversight structures almost immediately. If the Senate’s reporting requirements make it into the final law, agencies will face the unprecedented task of cataloging and disclosing their use of sensitive CAI datasets.

Combined, these measures would represent the most significant expansion of congressional oversight into intelligence collection since the post-Snowden reforms.

For now, what is clear is that the days of unchecked data purchases are ending. Congress is reasserting its role, not to cripple the Intelligence Community but to ensure that powerful tools are used responsibly.

The sale of billions of airline ticket records underscores why such oversight is necessary. It shows how easily sensitive information can be commodified and how readily the government can buy its way into surveillance capabilities that once would have required a warrant.

The challenge for lawmakers will be to craft rules that preserve the intelligence community’s ability to protect the nation while preventing abuses that undermine the very freedoms they are meant to defend.

The 2026 Intelligence Authorization Act will not settle that challenge once and for all, but it will mark a turning point. For the first time, Congress is building a framework that acknowledges the risks of the data broker economy and demands accountability from those who tap into it.

Whether the issue is billions of airline tickets or billions of cellphone pings, the message from Capitol Hill is unmistakable. If the IC wants to buy data, it must be prepared to explain what it is buying, why it is needed, and how the rights of Americans will be protected.

Article Topics

data brokers  |  data privacy  |  data protection  |  legislation  |  regulation  |  U.S. Government