Well, That’s Everyone: Senator Wyden Letter Confirms The NSA Is Buying US Persons’ Data From Data Brokers

[bnew]

Well, That’s Everyone: Senator Wyden Letter Confirms The NSA Is Buying US Persons’ Data From Data Brokers

Buying domestic data from data brokers is just something the government does all the time. Bypassing restraints enacted by the Supreme Court, federal agencies (along with local law enforcement agen…

www.techdirt.com

Well, That’s Everyone: Senator Wyden Letter Confirms The NSA Is Buying US Persons’ Data From Data Brokers​

Privacy

from the you'd-think-the-NSA-would-have-a-better-data-plug dept​

Mon, Jan 29th 2024 10:51am - Tim Cushing

Buying domestic data from data brokers is just something the government does all the time. Bypassing restraints enacted by the Supreme Court, federal agencies (along with local law enforcement agencies) are hoovering up whatever domestic data they can from private companies all too happy to be part of the problem.

Sure, the government can pretend the Third Party Doctrine applies here. But chances are that most of this data being collected by phone apps and other services isn’t being collected with the full knowledge of device users. This is the sort of thing that’s hidden in the deep end of Terms of Use boilerplate, suckering people out of all kinds of data because they made the mistake of assuming a seemingly-innocuous match-3 game wouldn’t attempt to ping their phone’s location and tie it to specific device IDs.

So, this latest news — as revealed by Senator Ron Wyden — is only surprising in terms of which agency is involved.

U.S. Senator Ron Wyden, D-Ore., released documents confirming the National Security Agency buys Americans’ internet records, which can reveal which websites they visit and what apps they use. In response to the revelation, today Wyden called on the administration to ensure intelligence agencies stop buying personal data from Americans that has been obtained illegally by data brokers. A recent FTC order held that data brokers must obtain Americans’ informed consent before selling their data.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence (DNI) Avril Haines today. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

You’d think the NSA would be able to obtain this data without having to buy it from sketchy third-party vendors. I mean, it has erected one of the most pervasive surveillance apparatuses in the world. It’s completely capable of engaging in domestic surveillance. And, indeed, it often does! So why would it need to purchase something it can obtain (more legitimately[?]) from its own dragnets and risk having part of its collection techniques exposed?

There’s no clear answer to that question, other than it’s pretty easy to spend government money when you’ve got plenty of it. Wyden’s letter [PDF] goes into a bit more detail, but (for obvious reason) it’s not the equivalent of sneaking damning documents out of an NSA data center and handing them over to journalists after exiting the country.

That being said, it took Wyden holding a top NSA position hostage for the government to admit it was buying data from brokers to engage in domestic surveillance.

The secrecy around data purchases was amplified because intelligence agencies have sought to keep the American people in the dark. It took me nearly three years to clear the public release of information revealing the NSA’s purchase of domestic internet metadata. DoD first provided me with that information in March, 2021, in response to a request from my office for information identifying the DoD components buying Americans’ personal data. DoD subsequently refused a request I made in May, 2021, to clear the unclassified information for public release. It was only after I placed a hold on the nominee to be the NSA director that this information was cleared for release.

Wyden asks each “IC [Intelligence Community] element” to open an investigation into the purchase of data from data brokers, as well as an FTC investigation into the business practices of the data brokers themselves. Each IC component is also asked to provide “an inventory of personal data purchased” from data brokers.

Wyden’s letter deals with all data purchased from brokers, but specifically exposes the NSA’s acquisition of internet browser records, which show which sites users visit and which apps they use. The NSA’s denial — delivered to Wyden late last year — claims the NSA isn’t doing something else entirely.

[N]SA does not buy and use location data collected from phones known to be used in the United States either with or without a court order.

That’s the only firm denial in the letter and it only says things about location data, which isn’t what Wyden is expressing his concern about.

However, the NSA — in the same 2023 letter — admitted to doing exactly what Wyden accused it of:

NSA does buy and use commercially available netflow (i.e., non-content) data related wholly to domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad.

The NSA is admitting to domestic surveillance. Not the best look for an agency still hoping to resuscitate its reputation following several years of damning leaks, investigations, and inadvertent exposures. We already know the NSA is fully capable of “inadvertently” sweeping up US persons’ data and communications with its Section 702 collection. That’s the thing the FBI constantly abuses to engage in domestic surveillance. It should never need to buy this data from brokers because it has always been able to obtain it otherwise.

This appears to be the NSA collecting even more just because the situation presented itself, rather than for any demonstrated national security need. And that’s the sort of thing no American should be willing to treat as government business as usual.



Filed Under: 4th amendment, avril haines, data brokers, doj, domestic surveillance, internet records, location data, nsa, privacy, ron wyden, surveillance, third party doctrine

Senator Wyden Letter Confirms NSA Is Buying US Persons' Data from Data Brokers | Hacker News

news.ycombinator.com

 

[bnew]

NSA finally admits to spying on Americans by purchasing sensitive data

Violating Americans’ privacy "not just unethical but illegal," senator says.

arstechnica.com

NSA finally admits to spying on Americans by purchasing sensitive data​

Violating Americans’ privacy "not just unethical but illegal," senator says.​

ASHLEY BELANGER - 1/26/2024, 3:36 PM

Enlarge

NurPhoto / Contributor | NurPhoto

123

The National Security Agency (NSA) has admitted to buying records from data brokers detailing which websites and apps Americans use, US Senator Ron Wyden (D-Ore.) revealed Thursday.

This news follows Wyden's push last year that forced the FBI to admit that it was also buying Americans' sensitive data. Now, the senator is calling on all intelligence agencies to "stop buying personal data from Americans that has been obtained illegally by data brokers."

"The US government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical but illegal," Wyden said in a letter to Director of National Intelligence (DNI) Avril Haines. “To that end, I request that you adopt a policy that, going forward," intelligence agencies "may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Wyden suggested that the intelligence community might be helping data brokers violate an FTC order requiring that Americans are provided "clear and conspicuous" disclosures and give informed consent before their data can be sold to third parties. In the seven years that Wyden has been investigating data brokers, he said that he has not been made "aware of any company that provides such a warning to users before collecting their data."

The FTC's order came after reaching a settlement with a data broker called X-Mode, which admitted to selling sensitive location data without user consent and even to selling data after users revoked consent.

In his letter, Wyden referred to this order as the FTC outlining "new rules," but that's not exactly what happened. Instead of issuing rules, FTC settlements often serve as "common law," signaling to marketplaces which practices violate laws like the FTC Act.

According to the FTC's analysis of the order on its site, X-Mode violated the FTC Act by "unfairly selling sensitive data, unfairly failing to honor consumers' privacy choices, unfairly collecting and using consumer location data, unfairly collecting and using consumer location data without consent verification, unfairly categorizing consumers based on sensitive characteristics for marketing purposes, deceptively failing to disclose use of location data, and providing the means and instrumentalities to engage in deceptive acts or practices."

The FTC declined to comment on whether the order also applies to data purchases by intelligence agencies. In defining "location data," the FTC order seems to carve out exceptions for any data collected outside the US and used for either "security purposes" or "national security purposes conducted by federal agencies or other federal entities."

NSA must purge data, Wyden says​

NSA officials told Wyden that not only is the intelligence agency purchasing data on Americans located in the US but that it also bought Americans' Internet metadata.

Wyden warned that the former "can reveal sensitive, private information about a person based on where they go on the Internet, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or visiting a telehealth provider who focuses on birth control or abortion medication." And the latter "can be equally sensitive."

To fix the problem, Wyden wants intelligence communities to agree to inventory and then "promptly" purge the data that they allegedly illegally collected on Americans without a warrant. Wyden said that this process has allowed agencies like the NSA and the FBI "in effect" to use "their credit card to circumvent the Fourth Amendment."

X-Mode's practices, the FTC said, were likely to cause "substantial injury to consumers that are not outweighed by countervailing benefits to consumers or competition and are not reasonably avoidable by consumers themselves." Wyden's spokesperson, Keith Chu, told Ars that "the data brokers selling Internet records to the government appear to engage in nearly identical conduct" to X-Mode.

The FTC's order also indicates "that Americans must be told and agree to their data being sold to 'government contractors for national security purposes' for the practice to be allowed," Wyden said.

DoD defends shady data broker dealings​

In response to Wyden's letter to Haines, the Under Secretary of Defense for Intelligence & Security, Ronald Moultrie, said that the Department of Defense (DoD) "adheres to high standards of privacy and civil liberties protections" when buying Americans' location data. He also said that he was "not aware of any requirement in US law or judicial opinion" forcing the DoD to "obtain a court order in order to acquire, access, or use" commercially available information that "is equally available for purchase to foreign adversaries, US companies, and private persons as it is to the US government."

In another response to Wyden, NSA leader General Paul Nakasone told Wyden that the "NSA takes steps to minimize the collection of US person information" and "continues to acquire only the most useful data relevant to mission requirements." That includes some commercially available information on Americans "where one side of the communications is a US Internet Protocol address and the other is located abroad," data which Nakasone said is "critical to protecting the US Defense Industrial Base" that sustains military weapons systems.

While the FTC has so far cracked down on a few data brokers, Wyden believes that the shady practice of selling data without Americans' informed consent is an "industry-wide" problem in need of regulation. Rather than being a customer in this sketchy marketplace, intelligence agencies should stop funding companies allegedly guilty of what the FTC has described as "intrusive" and "unchecked" surveillance of Americans, Wyden said.

According to Moultrie, DNI Haines decides what information sources are "relevant and appropriate" to aid intelligence agencies.

But Wyden believes that Americans should have the opportunity to opt out of consenting to such invasive, secretive data collection. He said that by purchasing data from shady brokers, US intelligence agencies have helped create a world where consumers have no opportunity to consent to intrusive tracking.

"The secrecy around data purchases was amplified because intelligence agencies have sought to keep the American people in the dark," Wyden told Haines.

 

[ORDER_66]