We Should've Figured The NSA Was Buying Our Data, But It Does Not Feel Great To Know For Sure
If the government wants to spy on Americans, they need to get a warrant.
On Thursday, Oregon Senator Ron Wyden released a letter and several declassified documents confirming that the National Security Agency has been buying the personal internet metadata of American citizens through shady data brokers. Information that, under normal circumstances, would very much require a warrant.
Wyden has actually been aware of this since 2021, the same year he released the information that “the Defense Intelligence Agency was buying and using location data collected from Americans’ phones.” For the last three years he has fought to be able to make the information about the NSA public as well, because we deserve to know these kinds of things. It wasn’t until he put a hold on Lt. General Timothy Haugh’s nomination as NSA director that the information was cleared for public release — because sometimes you have to play hardball, even with your own party, in order to get important and necessary things done.
There isn’t much specific information in the letter and documents, but former NSA Director Paul Nakasone does reveal that although most of the commercially available information they have bought has been on people in foreign countries, the “NSA does buy and use commercially available netflow (i.e. non-content) data related to wholly domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad.”
Admittedly, the first 20 times I read that sentence, I wasn’t sure if I should be horrified or halfway through building a cabinet. So let me put it in more simple terms for anyone else whose brain has gone fuzzy trying to parse what any of that means. It just means the NSA is buying the internet metadata of American citizens, but not any specific information or content. It’s like they can see what restaurant you went to but not what you ordered when you got there.
“Until recently, the data broker industry and the intelligence community's (IC) purchase of data from these shady companies has existed in a legal gray area, which was in large part due to the secrecy surrounding the practice,” Wyden wrote in a letter to Director of National Intelligence Avril Haines. Things are starting to change, however, and the FTC has been cracking down on what these data mining companies are and are not allowed to do.
Earlier this month, the FTC brought an action against data broker X-Mode Social, which we know sold Americans’ location data to US military customers through defense contractors (which is another thing we know because Ron Wyden cared enough to find out).
The FTC notes in its complaint that the reason informed consent is required for location data is because it can be used to track people to sensitive locations, including medical facilities, places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, and welfare and homeless shelters. The FTC added that the sale of such data poses an unwarranted intrusion into the most private areas of consumers lives. While the FTC's X-Mode social complaint and order are limited to location data, internet metadata can be equally sensitive. Such records can identify Americans who are seeking help from a suicide hotline or a hotline for survivors of sexual assault or domestic abuse, a visit to a telehealth provider focusing on specific healthcare need, such as those prescribing and delivering abortion pills by mail, or reveal that someone likely suffers from a gambling addiction.
Surely we can see how some of that information might be used nefariously by those in our government.
Thanks to the FTC’s ruling in this case, these companies are now obligated to tell people specifically when their information will be sold to US intelligence agencies. What Wyden wants now is for Haines to ensure that intelligence communities “may only purchase data about Americans that meets the standard for legal data sales established by the FTC” and to take the following steps to do that:
Conduct an inventory of the personal data purchased by the agency about Americans, including, but not limited to, location and internet metadata. The cataloging of IC acquisition of commercially available information was also a recommendation of the Office of the DNI’s Senior Advisory Group Panel on Commercially Available Information in its January 2022 report.
Determine whether each data source identified in that inventory meets the standards for legal personal data sales outlined by the FTC. This, too, is consistent with the Senior Advisory Group’s recommendation to “identify and protect sensitive [Commercially Available Information] that implicates privacy and civil liberties concerns.”
Where those data purchases do not meet the FTC’s legal standard for personal data sales, promptly purge the data. Should IC elements have a specific need to retain the data, such need, and a description of any retained data, be conveyed to Congress and, to the greatest extent possible, to the American public.
If they need more than that, they can do it the right way and get a court order or a warrant.
There is very little question that we, as Americans, have become rather complacent about our privacy being violated and our data being mined. And the fact is, ever since the passing of the Patriot Act, since the advent of smartphones and smart homes and Ring camera doorbells and Google and targeted advertising, and the entire internet as we currently know it, it would be very difficult to get through the day getting het up about all of it. We are tired.
We don’t always feel like reading the terms of agreement, we don’t always want to click all of the cookies we don’t want to allow in order to read one damn article on one damn page. Unfortunately, beyond going full Amish or setting ourselves up in a Unabomber shack on the outskirts of civilization, we don’t have a lot of other options. That makes us feel powerless and no one likes feeling powerless, so we push it down and try to forget about it as much as we can.
That’s exactly why we need those we bestow actual power upon to push back for us, to figure out what exactly is happening with our information and, if necessary, put a stop to it. We should all be very grateful to Ron Wyden for staying on top of this for us.
PREVIOUSLY:
That last paragraph is especially true for me. I KNOW perfectly well that I'm probably opening myself up to data abuse by not reading all of those lengthy "if you click here than you accept we are going to do stuff with your info" buttons, but I'm busy, who has time for all of that? And companies/organizations know this and make it so we give them what they want out of frustration/expediency. Fortunately for me, I live in the EU and there are extra protections for online interactions, so a lot of US websites either make the content unavailable for EU browsers or they give the "yeah, I guess you can opt out of everything, even though we wish you wouldn't" option. This should be standard practice everywhere.
Anyway, yay, thanks Ron! Hero! And thanks to Robyn for the explainer.
𝐛𝐮𝐲𝐢𝐧𝐠 𝐭𝐡𝐞 𝐩𝐞𝐫𝐬𝐨𝐧𝐚𝐥 𝐢𝐧𝐭𝐞𝐫𝐧𝐞𝐭 𝐦𝐞𝐭𝐚𝐝𝐚𝐭𝐚 𝐨𝐟 𝐀𝐦𝐞𝐫𝐢𝐜𝐚𝐧 𝐜𝐢𝐭𝐢𝐳𝐞𝐧𝐬 𝐭𝐡𝐫𝐨𝐮𝐠𝐡 𝐬𝐡𝐚𝐝𝐲 𝐝𝐚𝐭𝐚 𝐛𝐫𝐨𝐤𝐞𝐫𝐬.
How very American. Not only are they violating the Constitution with impunity, they're pouring taxpayer money into the coffers of sketchy companies who are only out to make a buck. Win-win!