NSA Buys Americans’ Internet Data Without Warrant, Letter Says

The National Security Agency purchases certain records related to Americans’ domestic Internet activities from commercial data brokers, according to an unclassified letter from the agency.

The letter, addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data, other than to emphasize that it did not include the content of Internet communications.

Still, the disclosure is the latest disclosure that highlights a legal gray area: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from intermediaries that would require a court order to acquire it directly.

It comes as the Federal Trade Commission has begun cracking down on companies that trade in personal location data collected from smartphone apps and sold without people’s knowledge and consent about where it would end up and for what purpose it would be used.

In a letter to the director of national intelligence As of Thursday, Sen. Ron Wyden, D-Ore., argued that “Internet metadata” — records that show when two computers have communicated, but not the content of any message — “may be equally sensitive” as data. of locations targeted by the FTC. .

He urged intelligence agencies to stop purchasing Internet data on Americans if it was not collected according to the standard the FTC has set for location records.

“The United States government should not fund or legitimize a shady industry whose blatant violations of Americans’ privacy are not only unethical, but illegal,” Wyden wrote.

A representative for the director of national intelligence, Avril D. Haines, did not respond to a request for comment.

The NSA made his specific disclosure under pressure in a letter its outgoing director, Gen. Paul M. Nakasone, sent last month to Mr. Wyden. In November, Senator put a hold on President Biden’s nominee to be the agency’s next director, Lt. Gen. Timothy D. Haugh, to prevent the Senate from voting on his confirmation until the agency publicly reveals whether it was purchasing the location data and browsing logs American website.

In the letter, General Nakasone wrote that his agency had decided to disclose that it purchases and uses various types of commercially available metadata for its intelligence and cybersecurity missions abroad, including network flow data “related to wholly domestic Internet communications.” .

Netflow data generally means Internet metadata showing when computers or servers have connected but it does not include the content of your interactions. Such records can be generated when people visit different websites or use smartphone apps, but the letter does not specify how detailed the data the agency purchases.

When asked for clarification, an NSA official provided a statement saying the agency purchases commercially available network flow data for its cybersecurity mission of trying to detect, identify and thwart foreign hackers. He noted that “at all stages, the NSA takes steps to minimize the collection of information from American persons,” including by using technical means to filter it.

The statement added that it limited its network flow data to Internet communications in which one side is a computer address within the United States “and the other side is foreign, or where one or both communicators are foreign intelligence targets, as a malicious cyber actor.”

While General Nakasone also acknowledged that some of the data the NSA purchases is “associated with electronic devices used outside (and, in certain cases, within) the United States,” he said the agency did not purchase location information. national, not even Internet-connected phones or cars known to be in the country.

Wyden, a veteran privacy advocate and surveillance skeptic who has access to classified information as a member of the Senate Intelligence Committee, has proposed legislation that would prohibit the government from purchasing data on Americans that would otherwise require a court order to obtain. .

In early 2021, he obtained a memo revealing that the Defense Intelligence Agency purchases commercially available databases containing location data from smartphone apps and had searched them multiple times without a warrant for past movements of Americans. The senator has been trying to persuade the government to publicly reveal more about his practices.

The correspondence with Wyden, some of which was redacted as classified, strongly suggested that other branches of the Defense Department also purchased that information.

Law enforcement and intelligence agencies outside the Defense Department also purchase data on Americans in ways that have drawn increasing scrutiny. In September, the inspector general of the Department of Homeland Security Several of its units failed. for purchasing and using smartphone location data in violation of privacy policies. Customs and Border Protection has also indicated that I would stop buying that data.

Other letter to Mr. Wyden, by Ronald S. Moultrie, the undersecretary of defense for intelligence and security, said that acquiring and using such data from commercial brokers was subject to several safeguards.

He said the Pentagon used the data legally and responsibly to carry out its various missions, including detecting hackers and protecting US service members. There is no legal impediment to purchasing data that would be “as available for purchase by foreign adversaries, U.S. companies, and private individuals as it is by the U.S. government,” he added.

But in his own letter to Haines, Wyden urged intelligence agencies to adjust their practices, pointing to the Federal Trade Commission’s recent crackdown on companies that sell personal information.

This month, the FTC banned a data broker formerly known as X-Mode Social to sell location data as part of a first-of-its-kind agreement. The settlement stated that the agency considers the commercial location data, which was collected without consumers’ consent and which would be sold to government contractors for national security purposes, to be a violation of a provision of the Federal Commission Act. Trade that prohibits unfair and deceptive transactions. practices.

And last week, the FTC released a proposed agreement with another data aggregator, InMarket Media, preventing it from selling precise location data if it doesn’t fully inform customers and obtain their consent, even if the government is not involved.

While the NSA does not appear to buy data that includes location information, Wyden argued that Internet metadata can also reveal sensitive things, such as whether a person is visiting websites about counseling related to topics such as suicide, substance abuse, or addiction. sexual abuse, or others. private matters, such as whether someone is looking for abortion pills in the mail.

In his letter, he wrote that the action against X-Mode Social should be a warning to the intelligence community and asked that Ms. Haines “take steps to ensure that US intelligence agencies only purchase data about Americans that has been obtained legal manner.” .”