According to the outgoing director, the U.S. National Security Agency is purchasing large amounts of commercially available web browsing data about Americans without a warrant.
NSA director Gen. Paul Nakasone revealed this practice in a letter to Sen. Ron Wyden, a privacy advocate and senior Democrat on the Senate Intelligence Committee. Wyden made the letter public on Thursday.
Nakasone stated that the NSA purchases various types of information from data brokers for foreign intelligence, cybersecurity, and authorized mission purposes. Consequently, some of the data may come from devices used both inside and outside the United States.
Netflow records contain non-content information, also known as metadata, about the flow and volume of internet traffic over a network, which can reveal the origins of internet connections and the servers involved in data transmission. For example, netflow data can track network activity traffic through VPNs and can help identify servers and networks used by malicious hackers.
Wyden, in response to the Office of the Director of National Intelligence (ODNI), emphasized that web browsing records are equally sensitive as location data sold by data brokers, as they have the potential to reveal private online activities of Americans.
Wyden noted that he learned about the NSA’s domestic internet records collection in March 2021 but was not permitted to disclose the information publicly due to classification restrictions. However, these restrictions were lifted after Wyden put a hold on the nomination of the next NSA director.
Moreover, commercial data purchased by U.S. spy agencies has also triggered concerns about the legality of the practice, particularly in light of the recent FTC enforcement actions against data brokers for improper use of data.
Government agencies have argued they do not need a warrant to obtain commercially available information, like precise location records or netflow data, but this legal theory has not been tested in U.S. courts.
Wyden urged the ODNI to implement a policy that aligns with the FTC’s standard for legal data sales, requiring U.S. spy agencies to either delete the data or inform Congress and the public if they have a specific need to retain it.
It is uncertain whether the NSA purchases access to location databases. Nakasone mentioned in the letter that the NSA does not buy and use location data from phones or vehicles known to be in the United States.
You can contact Zack Whittaker by Signal on +1 646.755.8849 or by email. You also can share files and documents with TechCrunch via our SecureDrop.
