American patriot The security agency is purchasing massive amounts of Americans’ commercially available web browsing data without a warrant, according to the agency’s outgoing director.
National Security Agency Director General Paul Nakasone revealed the practice in a letter to Senator Ron Wyden, a privacy hawk and senior Democratic member of the Senate Intelligence Committee. Wyden Posted the message Thursday.
Nakasone said the NSA buys “various types” of information from data brokers “for foreign intelligence, cybersecurity, and authorized mission purposes,” and that some of the data may come from devices “used outside — and in some cases, inside — the United States.” States.”
“The NSA purchases and uses commercially available netflow data relating to entirely domestic Internet connections and Internet connections where one side of the connection is a US IP address and the other is overseas,” Nakasone said in the letter.
Netflow logs contain non-content information (also known as metadata) about the flow and volume of Internet traffic over a network, which can reveal where Internet connections came from and which servers passed the data to another. Net flow data They can be used to track network activity traffic through VPNs It can help identify servers and networks used by malicious hackers.
The NSA did not say from which providers it purchases commercially available Internet logs.
In a response letter to the Office of the Director of National Intelligence (ODNI), which oversees the US intelligence community, Wyden said online metadata “can be just as sensitive” as location data sold by data brokers for its ability to identify Americans. Private online activity.
“Web browsing logs can reveal sensitive and private information about someone based on where they go online, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic violence, or visiting a health care provider.” Remotely focused on birth. “Control or abort medications,” Wyden said. In the current situation.
Wyden said he learned of the NSA’s collection of domestic internet records in March 2021 but was unable to share the information publicly until it was declassified. As a member of the Senate Intelligence Committee, Wyden is allowed to receive and read classified materials but cannot share them publicly. NSA lifted restrictions after Wyden Nomination of the next NSA Director is pendingThe senator said.
The US intelligence community’s practice of purchasing large troves of commercially available data from private data brokers, while not new, was not publicly disclosed until June 2023. The Office of the Director of National Intelligence did not disclose which US spy agencies were purchasing the data, or say Whether he knows that. . By its own admission, the Office of the Director of National Intelligence said at the time that commercially purchased data “clearly provides intelligence value,” but “raises important privacy and civil liberties issues.”
The NSA is not the only US government agency that relies on commercially purchased data for intelligence gathering or investigations. Previous reports show the Defense Intelligence Agency He bought access to a commercial database containing Americans’ location data In 2021 without a court order. The Internal Revenue Service too She used location data she purchased from a data broker to identify the suspectsas did the Department of Homeland Security to track illegal immigrants, without court orders in both cases.
But the use of commercial data by the US intelligence community raises questions about the legality of this practice, at a time when the National Security Agency is operating She faces congressional scrutiny over her expired statutory oversight powers And the indirect warning from within the federal government.
In his letter to the Office of the Director of National Intelligence, Wyden pointed to the Federal Trade Commission’s recent executive action against data brokers as raising “serious questions about the legitimacy” of government agencies buying access to Americans’ data.
Earlier this month, the FTC banned X-Mode, a prolific data broker Share Location data of Muslim prayer app users with military contractorsof selling phone location data and ordered the company to delete the data it collected. A week later, the FTC took similar action against InMarket, another data broker, saying the company did not obtain explicit consent from users before collecting their location data, and barring the data broker from selling precise location data to consumers.
This puts government departments and agencies that use commercially obtained data, such as the National Security Agency, in a legal gray space.
When FTC spokeswoman Juliana Gruenewald-Henderson was reached via email on Friday, she said the regulator had no comment on the NSA’s use of commercial data.
Government agencies typically must obtain a court-approved warrant before obtaining private data about Americans from a phone or technology company. But US agencies have sidestepped that requirement by arguing that they don’t need a warrant if information, such as precise location logs or net flow data, is openly for sale to anyone who wants to buy it — although that legal theory remains untested in courts. American.
For its part, the National Security Agency said in its letter to Wyden that it “is not aware of any requirement in American law or judicial opinion…” . . Which [the Department of Defense] Obtaining a court order in order to obtain, access or use the information, e.g [commercially available information]It is available for purchase to foreign adversaries, American corporations, private persons, and the United States government.”
Wyden called on the Office of the Director of National Intelligence to implement a policy that only allows U.S. spy agencies to purchase data on Americans that meets the Federal Trade Commission’s standards for legal data sales; Otherwise, the agency must delete the data. Wyden said that if a US spy agency has a specific need to retain data, it should at least inform Congress, if not the broader public.
It remains unclear whether the NSA is also purchasing access to website databases, as other federal government agencies have done.
Nakasone said in his letter to Wyden that the NSA does not purchase and use location data collected from phones or vehicles “known to be in the United States,” leaving open the interpretation that the NSA could obtain commercially available data if it was not known to it. Comes from American hardware.
When reached by email, NSA spokesman Eddie Bennett confirmed that the NSA collects commercially available Internet streaming data, but declined to elaborate or comment on Nakasone’s statements.
You can contact Zack Whittaker via Signal at +1 646.755.8849 or via email. You can also share files and documents with TechCrunch via our SecureDrop.