View of Pentagon showing internet data from data brokers

Declassified Pentagon Letters Reveal NSA Has Been Routinely Buying Internet Data on Americans From Data Brokers to Evade Court Order Requirements

Sen. Ron Wyden (D-OR), who has made internet privacy one of the central focuses of his term, has revealed that the National Security Agency (NSA) regularly purchases internet data such as geolocation and web browsing information from private data brokers. This sort of data could normally only be obtained via a court order.

In a public letter to Director of National Intelligence Avril Haines, Wyden notes that he has been requesting that the letters that confirm NSA purchase of internet data be declassified for three years. He argues that this shows that the agency wanted to keep this information concealed from the public, with the issue coming to a head this past November when Wyden put a hold on the nomination of Timothy Haugh to the NSA director position until the agency answered his questions about warrantless surveillance of Americans.

NSA uses shady data brokers to scoop up metadata on citizens

The information that the NSA buys from data brokers can contain location data, web browsing information and lists of apps that Americans use, according to the declassified letters. The stores of information that the agency is buying do not contain personal communications, but are made up of so-called “netflow data” that is generated by devices as they navigate the internet. Data subjects generally share this information, often without realizing that it is flowing to these data brokers, when they agree to give an app access to their device or visit a website that uses third-party tracking cookies.

The NSA responded to media inquiries about Wyden’s letter by confirming that it does purchase this type of internet data from private sources, but claims that it “minimizes” what it takes in and applies “technical filters” to preserve privacy. Defense Department intelligence official Ronald Moultrie added that agencies that purchase the internet data are held to Fourth Amendment and other applicable legal standards in its handling.

Based on the nature of this internet data, browsing information is likely limited to the URLs that subjects visit (as opposed to what they specifically click on or interact with). However, a list of URLs can be extremely privacy-invasive on its own. It could reveal health conditions, religious affiliation, domestic abuse, mental health concerns, and a variety of other personal information that would generally be protected under existing law.

This information comes as the FTC has begun cracking down on some of the major data brokers that operate in the shadows, issuing orders to two (InMarket Media and Outlogic) to cease selling precise location information about data subjects without their consent. However, the FTC’s present campaign has been specific to mobile phone location data and has yet to address broader internet data collected via web browsing. It is not clear which providers the NSA has been buying its data from.

Growing awareness of sale of internet data among consumers, but data brokers remain a mystery

Consumers are becoming increasingly aware that companies like Meta and Google are hungry for their personal data and make their massive fortunes off of it, and are demanding more transparency and protection. However, the sort of data brokers that the NSA is making purchases from are still broadly unknown to the average person. They gather their information by embedding trackers in advertising platforms and software development kits offered to app developers, and it is much harder for the average internet user to pinpoint exactly where they are or when they are collecting their internet data.

Wyden’s concern is not just that the NSA has found a loophole by which to obtain internet data without a warrant, but that the government is essentially subsidizing the type of data broker that has found itself banned or heavily restricted in other countries with established national privacy laws. The senator called for the DNI  to stop purchase of any otherwise legally restricted data in this way, and for the FTC to require data brokers to notify data subjects and collect their consent before selling to a government agency. Wyden also wants to see an inventory of already-collected data taken and a determination made on whether or not each source it was taken from meets the FTC’s existing standards for legal data sales. Any data that does not meet this standard would have to be purged.

The first public disclosure of US intelligence agencies buying internet data from brokers was in July of 2023, when a report from January 2022 was declassified. That report also indicated that government agencies were buying metadata from data brokers for intelligence and national security purposes but did not specify which agencies were involved. One of the data brokers that the FTC recently banned had been collecting data from Muslim prayer apps to share with military contractors.