The National Security Agency has been buying Americans’ web browsing data from commercial data brokers without warrants, intelligence officials disclosed in documents made public by a US senator Thursday.
The purchases include information about the websites Americans visit and the apps that they use, said Oregon Democratic Sen. Ron Wyden, releasing newly unclassified letters he received from the Pentagon in recent weeks confirming the sales.
The disclosures are the latest evidence that government agencies routinely buy sensitive information about Americans from commercial marketplaces that they would otherwise be required to obtain via court order.
And it comes amid rising concerns that foreign governments are doing the same; CNN reported earlier this week that the Biden administration is preparing an executive order meant to curb foreign purchases of US citizens’ personal data.
Wyden’s disclosure was earlier reported by The New York Times.
The NSA’s purchases include “information associated with electronic devices being used outside—and, in certain cases, inside—the United States,” wrote Paul Nakasone, the NSA’s director, in a letter to Wyden dated Dec. 11.
The purchases involve what Nakasone described as netflow data, or the technical information generated by devices as they use the internet.
While the data purchased from data brokers does not involve the content of Americans’ communications, Nakasone wrote, the data is “related to wholly domestic internet communications and internet communications where one side of the communication” is located inside the United States and the other side is located abroad.
Nakasone added that the NSA does not purchase cellphone location data of Americans or location data generated by automotive infotainment systems in the United States.
In a statement to CNN, the NSA affirmed that it buys the data from private vendors.
“NSA purchases commercially available Netflow data for its cybersecurity mission, to include but not limited to inform the Agency’s collection, analysis, and dissemination of cyber threat intelligence,” an NSA official said. “At all stages, NSA takes steps to minimize the collection of U.S. person information, to include application of technical filters.”
The NSA uses the commercially purchased data to support its cybersecurity and foreign intelligence missions, according to Nakasone’s letter and the NSA official. The NSA’s mission includes defending US military networks from foreign hacking.
In response to Wyden’s further questions, a top Defense Department intelligence official, Ronald Moultrie, wrote that agencies that purchase the data are responsible for complying “with existing law, regulation and policy, including the Fourth Amendment.”
And Allison Nixon, chief research officer at cybersecurity firm Unit 221B, said there were plenty of legitimate uses for netflow data that can help protect organizations against cyberattacks and do not involve spying on people.
“Netflow is useful for tracking malware and [distributed denial of service] attacks,” Nixon told CNN. “It’s not useful for finding who’s having abortions and calling the suicide hotline.”
“Netflow is one of the reasons your antivirus can catch malware, and it’s one of the reasons your bank can detect credit card fraud before you do,” Nixon said.
Wyden, one of Congress’ most vocal privacy advocates, said he spent nearly three years pushing to be able to disclose the NSA practice and only succeeded when he placed a hold on the nomination of Nakasone’s successor for NSA director, Lt. Gen. Timothy Haugh. In a similar disclosure in 2021, Wyden revealed that the Defense Intelligence Agency had purchased commercially available smartphone location data without a warrant.
As part of Thursday’s announcement, Wyden wrote a letter to the Biden administration urging it to stop the warrantless surveillance of Americans through the purchases of internet data.
“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote to Avril Haines, the director of national intelligence.
“Although the intelligence agencies’ warrantless purchase of Americans’ personal data is now a matter of public record, recent actions by the Federal Trade Commission (FTC), the primary federal privacy regulator, raise serious questions about the legality of this practice,” Wyden added.
In a report that was declassified last year, Haines’ office acknowledged the risks posed by the easy availability of Americans’ personal data and recommended that US spy agencies catalog and develop procedures for protecting data they acquire by commercial means.
Wyden’s reference to the FTC reflects recent moves by privacy regulators to crack down on data brokers, including bans on the sale of certain personal information by two companies, InMarket Media and Outlogic, formerly known as X-Mode.
The FTC launched a separate process in 2022 that could lead to new regulations targeting what agency chair Lina Khan has called a “commercial surveillance” industry that profits from lax cybersecurity practices and weak restrictions on how consumer data can be collected, shared and analyzed.
In his letter Thursday, Wyden also called for intelligence agencies to delete any commercially acquired data that does not align with the FTC’s recent crackdowns.
CNN’s Sean Lyngaas contributed to this report.