The US National Team The Security Service is buying massive amounts of commercially available web browsing data on Americans without a warrant, according to the agency’s outgoing director.
NSA Director General Paul Nakasone disclosed the practice in a letter to Sen. Ron Wyden, a privacy hawk and the top Democrat on the Senate Intelligence Committee. Wyden published the letter on Thursday.
Nakasone said the NSA buys “various types” of information from data brokers “for purposes of foreign intelligence, cybersecurity, and authorized missions” and that some of the data may come from devices “used outside — and in some cases, inside — the States of the United States.”
“NSA purchases and uses commercially available network data related to entirely domestic Internet communications and Internet communications where one side of the communication is a US Internet Protocol address and the other is located overseas,” Nakasone said in the letter.
Netflow records contain non-content information (also known as metadata) about the flow and volume of Internet traffic over a network, which can reveal where Internet connections originated and which servers passed data to another. Netflow data can be used to monitor network activity traffic over VPN and can help identify servers and networks used by malicious hackers.
The NSA did not say from which providers it buys commercially available Internet records.
In a response letter to the Office of the Director of National Intelligence (ODNI), which oversees the US intelligence community, Wyden said this Internet metadata “can be just as sensitive” as location data sold by data brokers for its ability to to identify Americans private online activity.
“Web browsing records can reveal sensitive, private information about a person based on where they go on the Internet, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or visiting a telehealth provider who focuses on birth control or abortion drugs,” Wyden said in a statement.
Wyden said he learned about the NSA’s collection of domestic Internet records in March 2021, but could not share the information publicly until it was declassified. As a member of the Senate Intelligence Committee, Wyden is allowed to receive and read classified material, but cannot share it publicly. NSA lifts restrictions after Wyden put the appointment of the next NSA director on holdsaid the senator.
The US intelligence community’s practice of purchasing large sets of commercially available data from private data brokers, while not new, was only publicly disclosed in June 2023. ODNI did not disclose which US intelligence agencies were buying the data or whether it knew. By its own admission, the ODNI said at the time that commercially purchased data “clearly provides information value” but “raises significant privacy and civil liberties issues”.
The NSA is not the only US government agency that relies on commercially purchased data for intelligence gathering or investigations. Previous report shows Defense Intelligence Agency bought access to a commercial database containing Americans’ location data in 2021 without a warrant. The Internal Revenue Service too used location data purchased from a data broker to identify suspectsas does the Department of Homeland Security to track down undocumented immigrants, without warrants in either case.
However, the use of commercial data by the US intelligence community raises questions about the legality of the practice, at a time when the NSA faces congressional scrutiny of expiring legal oversight powers and indirect advice from within the federal government.
In his letter to ODNI, Wyden cited the Federal Trade Commission’s recent enforcement action against data brokers as raising “serious questions about the legality” of government agencies buying access to Americans’ data.
Earlier this month, the FTC banned X-Mode, a prolific data broker that shared the location data of Muslim prayer app users with military contractors, from selling phone location data and ordered the company to delete the data it has collected. A week later, the FTC filed a similar lawsuit against InMarket, another data broker, saying the company did not obtain users’ express consent before collecting their location data and barring the data broker from selling consumers’ precise location data.
This puts government agencies and agencies that use commercial data, such as the NSA, in a legal gray area.
When reached by email Friday, FTC spokeswoman Juliana Gruenwald Henderson said the regulator had no comment on the NSA’s use of commercial data.
Government agencies typically must secure a court-approved warrant before obtaining personal data about Americans from a phone or technology company. But U.S. agencies have sidestepped that requirement by arguing they don’t need a warrant if the information, such as precise location records or web streaming data, is openly sold to anyone who wants to buy it — though that legal theory remains untested in U.S. courts.
For its part, the NSA said in its letter to Wyden that it was “not aware of any requirement in US law or judicial opinion. . . that [the Department of Defense] obtain a court order to obtain, access or use information, such as [commercially available information]that is just as available for purchase by foreign adversaries, US companies and individuals as it is by the US government.’
Wyden called on the ODNI to implement a policy that only allows US spy agencies to buy data on Americans who meet the FTC’s standards for legal data sales. Otherwise, the service should delete the data. Wyden said that if a US spy agency has a specific need to retain data, it should at least inform Congress, if not the general public.
It remains unclear whether the NSA also buys access to location databases, as other federal government agencies have done.
Nakasone said in his letter to Wyden that the NSA does not buy or use location data collected from phones or vehicles “known to be in the United States,” leaving open the interpretation that the NSA could obtain commercially available data if it were not known to be from US devices.
When reached by email, NSA spokesman Eddie Bennett confirmed that the NSA collects commercially available Internet traffic data, but declined to elaborate or comment on Nakasone’s remarks.
Zack Whittaker can be reached via Signal at +1 646.755.8849 or via email. You can also share files and documents with TechCrunch via SecureDrop.
