The United States National Security Agency has been revealed to be purchasing large quantities of internet browsing data on American citizens, without first obtaining a warrant. This was disclosed by NSA Director General Paul Nakasone in a letter addressed to Senator Ron Wyden, a well-known advocate for privacy and ranking member of the Senate Intelligence Committee. The letter, which was published on Thursday, disclosed the practice of the NSA purchasing “various types” of information from data brokers for foreign intelligence, cybersecurity, and other authorized mission purposes.
Nakasone clarified that some of this data may come from devices used both inside and outside of the United States. He specifically stated that the NSA purchases and uses netflow data related to domestic internet communications, as well as communications between a U.S. Internet Protocol (IP) address and an address located abroad. Netflow data, which contains non-content information or metadata about internet traffic, can be used to track network activities and identify potential threats from malicious hackers.
The NSA did not disclose which specific providers they are purchasing the data from. In response to Wyden’s letter, the Office of the Director of National Intelligence (ODNI), which oversees the U.S. intelligence community, stated that this internet metadata can be just as sensitive as location data sold by data brokers, as it can reveal private online activity.
According to Wyden, this internet browsing data can reveal sensitive information about an individual based on their online activity, such as visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or sites related to birth control or abortion medication. Wyden also stated that he was only able to share this information publicly after the NSA declassified it, as he is not allowed to publicly disclose classified materials as a member of the Senate Intelligence Committee.
The use of commercially available data by the U.S. intelligence community raises questions about the legality of such practices. This comes at a time when the NSA is already facing scrutiny from Congress regarding their expiring legal surveillance powers, as well as criticism from within the federal government.
In his letter to the ODNI, Wyden pointed out that the Federal Trade Commission’s (FTC) recent enforcement actions against data brokers raises concerns about the legality of government agencies purchasing Americans’ data. The FTC recently banned X-Mode, a data broker who shared the location data of Muslim prayer app users with military contractors, from selling phone location data. They also ordered another data broker, InMarket, to delete the data they collected without obtaining explicit consent from users. This puts government agencies, like the NSA, in a legal gray area.
When asked for comment on the NSA’s use of commercial data, the FTC declined to comment, saying they had no response at this time. Typically, government agencies need to obtain a warrant before accessing private data from companies or tech providers. However, agencies have argued that they do not need a warrant if the data, such as precise location records or netflow data, is available for purchase by anyone. The legality of this argument has not been tested in U.S. courts.
In his letter, Nakasone stated that the NSA is not aware of any legal requirement to obtain a court order before purchasing data that is also available for sale to foreign adversaries, U.S. companies, and private individuals. In response, Wyden called on the ODNI to implement a policy that only allows U.S. agencies to purchase data about Americans that meets the FTC’s standard for legal data sales. If not, Wyden believes the data should be deleted or, if the agency has a specific need to retain the data, at least be disclosed to Congress or the public.
It is not clear if the NSA also purchases access to location databases, as other federal agencies have done. Nakasone stated in his letter that the NSA does not purchase or use location data collected from phones or vehicles known to be located in the United States. However, this leaves open the interpretation that the NSA could still potentially acquire commercially available location data from sources not known to originate from U.S. devices.
In response to inquiries about their use of commercially available data, NSA spokesperson Eddie Bennett confirmed that the NSA collects netflow data from the internet, but declined to comment further. If you have any information or documents to share with TechCrunch, you can reach journalist Zack Whittaker by Signal at +1 646.755.8849, or via email. Remember to use appropriate tags when formatting your HTML version of this article, such as p for paragraphs, blockquote for quotes, and ul or ol for lists.