The National Security Agency is buying some logs related to Americans’ domestic Internet activities from commercial data brokers, according to an unclassified agency letter.
The letter, addressed to a Democratic senator and obtained by The New York Times, provided few details about the nature of the data except to emphasize that it did not include the content of online communications.
But the revelation is the latest to highlight a legal gray area: intelligence and law enforcement agencies sometimes buy potentially sensitive and revealing domestic data from brokers that would require a court order to obtain directly.
It comes as the Federal Trade Commission has begun cracking down on companies that trade in personal location data collected by smartphone apps and sold without people’s knowledge and consent about where it would end up and what it would be used for.
In a letter to the director of national intelligence Thursday, Sen. Ron Wyden, D-Oregon, argued that “Internet metadata” — logs that show when two computers have communicated, but not the content of any message — “can be as sensitive” as the location data targeted by the FTC.
He urged intelligence agencies to stop buying online data about Americans if it wasn’t collected according to the standard the FTC has set for location records.
“The US government should not fund and legalize a shadow industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Mr. Wyden wrote.
A spokesman for the director of national intelligence, Avril D. Haines, did not respond to a request for comment.
The NSA made its specific disclosure under pressure in a letter its outgoing director, Gen. Paul M. Nakasone, sent last month to Mr. Wyden. In November, the senator blocked President Biden’s nominee to be the agency’s next director, Lt. Gen. Timothy D. Haugh, to prevent the Senate from voting on his confirmation until the agency publicly disclosed whether it was buying the location data and records. Americans’ internet browsing.
In the letter, Gen. Nakasone wrote that his agency had decided to disclose that it purchases and uses various types of commercially available metadata for foreign intelligence and cybersecurity missions, including network streaming data “related to entirely domestic Internet communications.”
Netflow data generally means Internet metadata that shows when computers or servers have connected, but does not include the content of their interactions. Such records can be created when people visit different websites or use smartphone apps, but the letter does not specify how detailed the data the company buys.
Asked to clarify, an NSA official gave a statement that said the agency buys commercially available network data for its cyber mission that tries to identify, trace and deter foreign hackers. He stressed that “at all stages, the NSA takes steps to minimize the collection of information on US persons,” including using technical means to filter it.
The statement added that it limited network streaming data to online communications in which one party is a computer address within the United States “and the other party is foreign, or where one or both communicators are targets of foreign intelligence, such as a malicious cyber ».
While Gen. Nakasone also acknowledged that some of the data the NSA buys “is associated with electronic devices used outside — and, in some cases, inside — the United States,” he said the agency did not buy location information inside, among other things from Internet-connected phones or cars known to be in the country.
Mr. Wyden, a longtime privacy advocate and surveillance skeptic who has access to classified information as a member of the Senate Intelligence Committee, has proposed legislation that would bar the government from buying data on Americans that would otherwise require a court order to to acquire.
In early 2021, he received a memo revealing that the Defense Intelligence Agency was purchasing commercially available databases containing location data from smartphone apps and had searched them multiple times without a warrant for Americans’ past movements. The senator is trying to get the government to publicly reveal more about its practices.
Correspondence with Mr. Wyden, some of which has been ordered classified, strongly suggested that other arms of the Defense Department are buying such data.
Law enforcement and intelligence agencies outside the Department of Defense are also buying data about Americans in ways that have drawn increased scrutiny. In September, the Department of Homeland Security’s inspector general accused several of its units of buying and using smartphone location data in violation of privacy policies. Customs and Border Protection also said it would stop buying such data.
Another letter to Mr. Wyden, from Ronald S. Moultrie, the undersecretary of defense for intelligence and security, said the acquisition and use of such data by commercial brokers is subject to various safeguards.
He said the Pentagon used the data legally and responsibly to carry out its various missions, including detecting hackers and protecting US service members. There is no legal bar to buying data that was “just as available for purchase to foreign adversaries, US companies and individuals as it is to the US government,” he added.
But in his own letter to Ms. Haines, Mr. Wyden urged the intelligence agencies to adjust their practices, pointing to the Federal Trade Commission’s recent crackdown on companies that sell personal information.
This month, the FTC barred a data broker formerly known as X-Mode Social from selling location data as part of a first-of-its-kind settlement. The settlement determined that the agency considers transaction location data — which was collected without consumers’ consent to be sold to government contractors for national security purposes — to be a violation of a provision of the Federal Trade Commission Act that prohibits unfair and deceptive practices.
And last week, the FTC unveiled a proposed settlement with another data aggregator, InMarket Media, that bars it from selling accurate location data without fully informing customers and obtaining their consent — even if the government isn’t involved.
While the NSA does not appear to be buying data that includes location information, Mr. Wyden argued that Internet metadata can also reveal sensitive things — such as whether a person visits websites for advice on topics such as suicide, substance abuse or sexual abuse or other private matters, such as whether someone is looking for abortion pills by mail.
In his letter, he wrote that action against X-Mode Social should be a warning to the intelligence community and asked Ms. Haines to “take action to ensure that US intelligence agencies only purchase data on Americans legally obtained. .”