Senator Ron Wyden of the United States revealed last week that the National Security Agency (NSA) has acknowledged purchasing internet traffic records from data brokers in order to identify the websites and apps that Americans use that would otherwise require a court order.
In a letter to Avril Haines, the Director of National Intelligence (DNI), Wyden stated that “the U.S. government should not be funding and legitimising a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal.” Wyden also called for actions to “ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.”
Because personal information about an individual can be inferred from the websites they visit, metadata about users’ browsing activities can be a severe privacy issue.
This could include telehealth providers who specialise in birth control or abortion drugs, websites that give mental health services, and support for victims of sexual assault or domestic abuse.
In answer to Wyden’s questions, the National Security Agency (NSA) stated that it “continues to acquire only the most useful data relevant to mission requirements,” “takes steps to minimise the collection of U.S. person information,” and has established compliance procedures.
However, the organisation stated that it does not purchase or utilise location data obtained from American phones without a court order. Additionally, it stated that it does not use location data gleaned from domestic vehicle telematics systems.
Secretary of Defence for Intelligence and Security Ronald S. Moultrie stated that Departments of Defence (DoD) components obtain and use commercially available information (CAI) in a way that “adheres to high standards of privacy and civil liberties protections” in order to support legitimate intelligence or cybersecurity missions.
The disclosure is more proof that law enforcement and intelligence services are buying potentially sensitive information from businesses that would require a court order to obtain directly from telecom companies. The Defence Intelligence Agency (DIA) was found to be purchasing and utilising domestic location data obtained from smartphones through commercial data brokers at the beginning of 2021.
Following the Federal Trade Commission’s (FTC) decision to forbid Outlogic (previously X-Mode Social) and InMarket Media from selling precise location data to their clients without obtaining their informed consent, the revelation regarding the warrantless purchase of personal data has been made.
In addition, Outlogic has been prohibited from gathering location data that might be used to monitor individuals’ trips to sensitive sites like domestic violence shelters, medical and reproductive health clinics, and houses of worship as part of its settlement with the FTC.
According to Wyden, the acquisition of sensitive data from these “shady companies” has lived in a legal grey area. He added that consumers are frequently unaware of who their data is being shared with or how it is being used, and that data brokers who purchase and resell this data are unknown to them.
Another notable aspect of these shadowy data practices is that third-party apps incorporating software development kits (SDKs) from these data brokers and ad-tech vendors do not notify users of the sale and sharing of location data, whether it be for advertising or national security.
“According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to ‘government contractors for national security purposes,'” the Oregon Democrat said.
“I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industry-wide, and not limited to this particular data broker.”