The U.S. National Security Agency is buying vast amounts of commercially available web browsing data on Americans without a warrant, according to the agency’s outgoing director.
NSA director Gen. Paul Nakasone disclosed the practice in a letter to Sen. Ron Wyden, a privacy hawk and senior Democrat on the Senate Intelligence Committee. Wyden published the letter on Thursday.
Nakasone said the NSA purchases “various types” of information from data brokers “for foreign intelligence, cybersecurity, and authorized mission purposes,” and that some of the data may come from devices “used outside — and in certain cases, inside — the United States.”
“NSA does buy and use commercially available netflow data related to wholly domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad,” Nakasone said in the letter.
Netflow records contain non-content information (also known as metadata) about the flow and volume of internet traffic over a network, which can reveal where internet connections came from and which servers passed data to another. Netflow data can be used to track network activity traffic through VPNs and can help identify servers and networks used by malicious hackers.
The NSA did not say from which providers it buys commercially available internet records.
In a responding letter to the Office of the Director of National Intelligence (ODNI), which oversees the U.S. intelligence community, Wyden said that this internet metadata “can be equally sensitive” as location data sold by data brokers for its ability to identify Americans’ private online activity.
“Web browsing records can reveal sensitive, private information about a person based on where they go on the internet, including visiting websites related to mental health resources, resources for survivors of sexual assault or domestic abuse, or visiting a telehealth provider who focuses on birth control or abortion medication,” said Wyden in a statement.
Wyden said he learned of the NSA’s domestic internet records collection in March 2021, but was unable to share the information publicly until it was declassified. As a member of the Senate Intelligence Committee, Wyden is allowed to receive and read classified materials but cannot share them publicly. NSA lifted the restrictions after Wyden put a hold on the nomination of the next NSA director, the senator said.
The practice of the U.S. intelligence community buying large sets of commercially available data from private data brokers, while not new, was only publicly disclosed in June 2023. The ODNI did not disclose which U.S. spy agencies were buying the data, or say if it knew. By its own admission, the ODNI said at the time that commercially purchased data “clearly provides intelligence value,” but “raises significant issues related to privacy and civil liberties.”
The NSA is not the only U.S. government agency relying on commercially bought data for intelligence gathering or investigations. Previous reporting shows the Defense Intelligence Agency bought access to a commercial database containing Americans’ location data in 2021 without a warrant. The Internal Revenue Service also used location data it bought from a data broker to identify suspects, as did the Department of Homeland Security to track undocumented migrants, without warrants in both cases.
But the use of commercial data by the U.S. intelligence community raises questions about the legality of the practice, at a time when the NSA is facing congressional scrutiny of its expiring legal surveillance powers and indirect admonishment from within the federal government.
In his letter to the ODNI, Wyden cited the Federal Trade Commission’s recent enforcement action against data brokers as raising “serious questions about the legality” of government agencies buying access to Americans’ data.
Earlier this month, the FTC banned X-Mode, a prolific data broker that shared the location data of Muslim prayer app users with military contractors, from selling phone location data and ordered the company to delete the data that it has collected. A week later, the FTC brought similar action against InMarket, another data broker, saying the company did not obtain users’ explicit consent before collecting their location data, and banned the data broker from selling consumers’ precise location data.
That puts government departments and agencies that use commercially obtained data, like the NSA, in a legal gray space.
When reached by email Friday, FTC spokesperson Juliana Gruenwald Henderson said the regulator had no comment on the NSA’s use of commercial data.
Government agencies typically have to secure a court-approved warrant before obtaining private data on Americans from a phone or a tech company. But U.S. agencies have skirted this requirement by arguing they do not need a warrant if the information, like precise location records or netflow data, is openly for sale to anyone who wants to buy it — though this legal theory remains untested in U.S. courts.
For its part, the NSA said in its letter to Wyden that it was “not aware of any requirement in U.S. law or judicial opinion… that [the Department of Defense] obtain a court order in order to acquire, access or use information, such as [commercially available information], that is equally available for purchase to foreign adversaries, U.S. companies and private persons as it is to the U.S. government.”
Wyden called on the ODNI to implement a policy that only allows U.S. spy agencies to purchase data about Americans that meets the FTC’s standard for legal data sales, otherwise the agency should delete the data. Wyden said that if a U.S. spy agency has a specific need to retain the data, it should at least inform Congress, if not the wider public.
It remains unclear if the NSA also purchases access to location databases, as other federal government agencies have done.
Nakasone said in his letter to Wyden that the NSA does not buy and use location data collected from phones or vehicles “known to be located in the United States,” leaving open the interpretation that NSA could acquire commercially available data if it was not known to originate from U.S. devices.
When reached by email, NSA spokesperson Eddie Bennett confirmed the NSA collects commercially available internet netflow data, but declined to clarify or comment on Nakasone’s remarks.
You can contact Zack Whittaker by Signal on +1 646.755.8849 or by email. You also can share files and documents with TechCrunch via our SecureDrop.