Tech Gadget Central Latest Tech News and Reviews
According to the outgoing director of the U.S. National Security Agency, the agency is acquiring large quantities of commercially available web browsing data on Americans without a warrant.
NSA director Gen. Paul Nakasone revealed the practice in a letter to Sen. Ron Wyden, a staunch advocate for privacy and a senior Democrat on the Senate Intelligence Committee. On Thursday, Wyden published the letter.
Nakasone mentioned that the NSA acquires different kinds of information from data brokers for specific purposes, such as foreign intelligence, cybersecurity, and authorized missions. It is possible that some of this data originates from devices both within and outside the United States.
“The NSA purchases and utilizes commercially available netflow data that pertains to internet communications within the United States and those where one side of the communication involves a U.S. Internet Protocol address and the other side is located overseas,” stated Nakasone in the letter.
Netflow records provide valuable insights into the flow and volume of internet traffic across a network, shedding light on the origins of internet connections and the servers involved in data transmission. Netflow data is incredibly valuable for monitoring network activity through VPNs and can play a crucial role in identifying servers and networks utilized by malicious hackers.
The NSA did not disclose the sources of the commercially available internet records it purchases.
In a letter addressed to the Office of the Director of National Intelligence (ODNI), which is responsible for overseeing the U.S. intelligence community, Wyden highlighted the sensitivity of internet metadata. According to Wyden, this type of data has the potential to reveal private online activities of Americans, making it just as sensitive as the location data sold by data brokers.
“Web browsing records have the potential to expose personal and private details about an individual’s online activities, such as visiting websites related to mental health support, resources for survivors of sexual assault or domestic abuse, or accessing telehealth services for birth control or abortion medication,” stated Wyden.
Wyden discovered the NSA’s domestic internet records collection in March 2021, but he couldn’t disclose the information until it was declassified. Being a member of the Senate Intelligence Committee, Wyden has the privilege of accessing and reviewing classified materials, but he is not permitted to disclose them to the public. The NSA removed the restrictions following Wyden’s decision to delay the nomination of the next NSA director, according to the senator.
Although the U.S. intelligence community has been purchasing substantial amounts of commercially available data from private data brokers for some time, this information was only made public in June 2023. The ODNI did not reveal which U.S. spy agencies were purchasing the data, nor did it indicate if it had knowledge of the situation. According to the ODNI, commercially purchased data has been acknowledged to have intelligence value, although it also raises concerns regarding privacy and civil liberties.
Other U.S. government agencies also rely on commercially bought data for intelligence gathering or investigations. Recent reporting indicates that in 2021, the Defense Intelligence Agency acquired access to a commercial database containing location data of Americans, without obtaining a warrant. The Internal Revenue Service also utilized location data it acquired from a data broker to identify suspects, just as the Department of Homeland Security used it to track undocumented migrants, without warrants in both instances.
However, the utilization of commercial data by the U.S. intelligence community raises concerns regarding the legality of this practice. This comes at a time when the NSA is under congressional scrutiny for its expiring legal surveillance powers and facing indirect admonishment from within the federal government.
In his letter to the ODNI, Wyden expresses doubts about the legality of government organizations acquiring access to Americans’ data and makes reference to recent enforcement actions taken by the Federal Trade Commission against data brokers.
In a recent development, the FTC has taken action against X-Mode, a data broker known for its extensive sharing of location data. The company has been prohibited from selling phone location data and has been instructed to delete all the data it has collected. This decision comes after it was revealed that X-Mode had been sharing the location data of users of a Muslim prayer app with military contractors. One week later, the FTC took similar action against InMarket, a data broker, stating that the company failed to obtain users’ explicit consent before collecting their location data. As a result, the data broker was prohibited from selling consumers’ precise location data.
That places government departments and agencies that rely on commercially obtained data, such as the NSA, in a legal gray area.
When contacted via email on Friday, Juliana Gruenwald Henderson, spokesperson for the FTC, declined to comment on the NSA’s utilization of commercial data.
Government agencies usually need to obtain a court-approved warrant before accessing private data on Americans from a phone or a tech company. However, U.S. agencies have found a way around this requirement by claiming that they do not need a warrant if the information, such as precise location records or netflow data, is available for purchase by anyone. It is worth noting that this legal theory has not yet been tested in U.S. courts.
The NSA stated in its letter to Wyden that there is no legal obligation or court order required for the Department of Defense to obtain or use information that is commercially available to both foreign adversaries and the U.S. government.
Wyden urged the ODNI to adopt a policy that restricts U.S. spy agencies to acquiring data about Americans that adheres to the FTC’s criteria for lawful data transactions. Otherwise, the agency should remove the data. According to Wyden, it is important for a U.S. spy agency to inform Congress, and possibly the wider public, if they have a specific need to retain the data.
It is uncertain whether the NSA also buys access to location databases, similar to what other federal government agencies have done.
In his letter to Wyden, Nakasone clarified that the NSA does not purchase or utilize location data from phones or vehicles that are known to be in the United States. However, the statement leaves room for interpretation, suggesting that the NSA may acquire commercially available data as long as its origin from U.S. devices is not known.
When contacted via email, NSA spokesperson Eddie Bennett confirmed that the NSA gathers commercially accessible internet netflow data. However, he chose not to provide further details or offer any comments regarding Nakasone’s statements.
