We Should've Figured The NSA Was Buying Our Data, But It Does Not Feel Great To Know For Sure
If the government wants to spy on Americans, they need to get a warrant.
On Thursday, Oregon Senator Ron Wyden released a letter and several declassified documents confirming that the National Security Agency has been buying the personal internet metadata of American citizens through shady data brokers. Information that, under normal circumstances, would very much require a warrant.
Wyden has actually been aware of this since 2021, the same year he released the information that “the Defense Intelligence Agency was buying and using location data collected from Americans’ phones.” For the last three years he has fought to be able to make the information about the NSA public as well, because we deserve to know these kinds of things. It wasn’t until he put a hold on Lt. General Timothy Haugh’s nomination as NSA director that the information was cleared for public release — because sometimes you have to play hardball, even with your own party, in order to get important and necessary things done.
There isn’t much specific information in the letter and documents, but former NSA Director Paul Nakasone does reveal that although most of the commercially available information they have bought has been on people in foreign countries, the “NSA does buy and use commercially available netflow (i.e. non-content) data related to wholly domestic internet communications and internet communications where one side of the communication is a U.S. Internet Protocol address and the other is located abroad.”
Admittedly, the first 20 times I read that sentence, I wasn’t sure if I should be horrified or halfway through building a cabinet. So let me put it in more simple terms for anyone else whose brain has gone fuzzy trying to parse what any of that means. It just means the NSA is buying the internet metadata of American citizens, but not any specific information or content. It’s like they can see what restaurant you went to but not what you ordered when you got there.
“Until recently, the data broker industry and the intelligence community's (IC) purchase of data from these shady companies has existed in a legal gray area, which was in large part due to the secrecy surrounding the practice,” Wyden wrote in a letter to Director of National Intelligence Avril Haines. Things are starting to change, however, and the FTC has been cracking down on what these data mining companies are and are not allowed to do.
Earlier this month, the FTC brought an action against data broker X-Mode Social, which we know sold Americans’ location data to US military customers through defense contractors (which is another thing we know because Ron Wyden cared enough to find out).
The FTC notes in its complaint that the reason informed consent is required for location data is because it can be used to track people to sensitive locations, including medical facilities, places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, and welfare and homeless shelters. The FTC added that the sale of such data poses an unwarranted intrusion into the most private areas of consumers lives. While the FTC's X-Mode social complaint and order are limited to location data, internet metadata can be equally sensitive. Such records can identify Americans who are seeking help from a suicide hotline or a hotline for survivors of sexual assault or domestic abuse, a visit to a telehealth provider focusing on specific healthcare need, such as those prescribing and delivering abortion pills by mail, or reveal that someone likely suffers from a gambling addiction.
Surely we can see how some of that information might be used nefariously by those in our government.
Thanks to the FTC’s ruling in this case, these companies are now obligated to tell people specifically when their information will be sold to US intelligence agencies. What Wyden wants now is for Haines to ensure that intelligence communities “may only purchase data about Americans that meets the standard for legal data sales established by the FTC” and to take the following steps to do that:
Conduct an inventory of the personal data purchased by the agency about Americans, including, but not limited to, location and internet metadata. The cataloging of IC acquisition of commercially available information was also a recommendation of the Office of the DNI’s Senior Advisory Group Panel on Commercially Available Information in its January 2022 report.
Determine whether each data source identified in that inventory meets the standards for legal personal data sales outlined by the FTC. This, too, is consistent with the Senior Advisory Group’s recommendation to “identify and protect sensitive [Commercially Available Information] that implicates privacy and civil liberties concerns.”
Where those data purchases do not meet the FTC’s legal standard for personal data sales, promptly purge the data. Should IC elements have a specific need to retain the data, such need, and a description of any retained data, be conveyed to Congress and, to the greatest extent possible, to the American public.
If they need more than that, they can do it the right way and get a court order or a warrant.
There is very little question that we, as Americans, have become rather complacent about our privacy being violated and our data being mined. And the fact is, ever since the passing of the Patriot Act, since the advent of smartphones and smart homes and Ring camera doorbells and Google and targeted advertising, and the entire internet as we currently know it, it would be very difficult to get through the day getting het up about all of it. We are tired.
We don’t always feel like reading the terms of agreement, we don’t always want to click all of the cookies we don’t want to allow in order to read one damn article on one damn page. Unfortunately, beyond going full Amish or setting ourselves up in a Unabomber shack on the outskirts of civilization, we don’t have a lot of other options. That makes us feel powerless and no one likes feeling powerless, so we push it down and try to forget about it as much as we can.
That’s exactly why we need those we bestow actual power upon to push back for us, to figure out what exactly is happening with our information and, if necessary, put a stop to it. We should all be very grateful to Ron Wyden for staying on top of this for us.
PREVIOUSLY:
I'm far less concerned about the NSA (under a responsible administration) purchasing location metadata than I am about far shadier characters being able to purchase that same data.
I've worked with NSA people - they really, really DGAF about normal people's day-to-day activities, they're looking for security threats.
I can see a bunch of political organizations, OTOH, purchasing and using the same data for oppo research and much, much worse.
We are living what's been told to us in "Survellance Capitalism".