NSA headquarters at Ft. Meade, Maryland

NSA headquarters at Ft. Meade, Maryland NSA via Getty Images

NSA illegally purchases Americans’ internet data without a warrant, senator says

The NSA’s purchases of commercial metadata without a court order — revealed in documents exchanged with Sen. Ron Wyden — violate consumer protection laws, the Oregon Democrat claims.

The National Security Agency purchases certain forms of Americans’ internet usage data from data brokers without a warrant, a revelation which puts the intelligence community in conflict with consumer protection and privacy rules, a top Democratic lawmaker said Thursday evening.

Oregon Senator Ron Wyden, a senior lawmaker who sits on the high chamber’s influential intelligence committee, released documents showing exchanges between his office and NSA officials admitting the agency purchases troves of potentially sensitive internet data without first seeking a court order to retrieve it. The New York Times first reported the letter.

Wyden late last year sought an answer from NSA on its data purchasing behaviors, blocking the nomination of Lt. Gen. Timothy Haugh — tapped to lead NSA and U.S. Cyber Command — until the Pentagon publicly acknowledged whether the IC buys Americans’ location information from data brokers. 

That hold was lifted after Wyden’s office in December said the NSA and Defense Department provided enough information to him on the inquiry, ending a nearly three-year standoff in which the agency refused to publicly release information on the matter, according to his office.

The senator said NSA is in violation of a recent Federal Trade Commission order that bars data brokers from selling individuals’ geolocation data without first obtaining consent from consumers. He urged the Office of the Director of National Intelligence to ask intelligence agencies to determine whether their current databases contain information in violation with the FTC order and conduct a broader audit into the types of data they collect.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote to Director of National Intelligence Avril Haines in a supporting letter embedded with the documents.

“To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC,” he added.

The documents, which include missives from outgoing agency leader Gen. Paul Nakasone and Undersecretary of Defense for Intelligence & Security Ronald Moultrie, say NSA buys commercial internet metadata potentially linked with devices used both inside and outside the U.S., but Nakasone stressed the agency “does not buy and use location data collected from phones known to be used in the United States either with or without a court order.”

The FTC and the Pentagon declined to comment. ODNI and the White House did not respond to requests for comment. 

“NSA purchases commercially available Netflow data for its cybersecurity mission, to include but not limited to inform the Agency’s collection, analysis, and dissemination of cyber threat intelligence,” an NSA official told Nextgov/FCW in a statement, adding “At all stages, NSA takes steps to minimize the collection of U.S. person information, to include application of technical filters.”

“Where a U.S. IP address is involved, this data is limited to internet communications where one side of the communication is a U.S. IP address and the other is foreign, or where one or both communicants are foreign intelligence targets, such as a malicious cyber actor.” the official said.

At an event held the same day of the documents’ release, Jude Sunderbruch, the Defense Department’s Cyber Crime Center director, publicly said that commercial data sources have become vital to the intelligence community’s cyber operations and noted the Pentagon frequently partners with commercial industry players on information sharing activities.

The revelations come amid recent debates over a hotly contested warrantless surveillance power that was set to expire at the end of last year. The spying authority — Section 702 of the Foreign Intelligence Surveillance Act — allows the FBI and NSA to gather electronic data without a traditional warrant when the target is a foreigner overseas and it’s for foreign intelligence purposes. 

But those intercepted exchanges sometimes include conversations with Americans, raising skeptics’ fears that American communications are warrantlessly swept up in the process. Civil rights groups have also cited legal complaints that allege the intelligence community’s domestic misuse of the authority. Meanwhile, IC officials argue the tool is vital to U.S. operations and that information sourced from Section 702 makes up a large chunk of President Joe Biden’s daily briefings.

Wyden and other lawmakers proposed legislation late last year that would keep the authority in place for another four years but require intelligence agencies to obtain a warrant from the attorney general to extract and analyze any gathered American communications. The renewal debate ended with Congress greenlighting 702 for a short-term extension through mid-April, leaving its provisions unchanged for now.

The senator’s office in 2021 revealed the Defense Intelligence Agency bought and used location data linked to Americans’ mobile devices, igniting multiple congressional efforts aimed at bolstering Fourth Amendment protections for U.S. citizens’ data. A declassified ODNI report released in June says the IC has leaned heavily on purchasing information that includes data protected by the Fourth Amendment.