Pierluigi Paganini January 29, 2024

The U.S. National Security Agency (NSA) admitted to buying internet browsing records from data brokers to monitor Americans’ activity online without a court order.

U.S. Senator Ron Wyden, D-Ore., released documents that confirmed the National Security Agency (NSA) buys Americans’ internet browsing records without a court order.

The data acquired by the intelligence agency can reveal the websites visited by the US citizens and what apps they use. Wyden called on the US government to order intelligence agencies to stop buying personal data from Americans that has been obtained illegally by data brokers.

The U.S. Senator pointed out that according to a recent FTC order, data brokers cannot sell Americans’ data without informed consent. 

Metadata on browsing activity, which includes information about the websites visited, timestamps, and duration of visits, can be abused for surveillance in several ways, privacy advocated warn.

“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Wyden wrote in a letter to Director of National Intelligence (DNI) Avril Haines today. “To that end, I request that you adopt a policy that, going forward, IC elements may only purchase data about Americans that meets the standard for legal data sales established by the FTC.”

Senator Wyden urged the DNI to direct intelligence agencies to comply with recent FTC regulations by taking three steps:

1. Conduct an inventory of personal data acquired by the agency concerning Americans: This inventory should encompass, but not be limited to, location and internet metadata.
2. Evaluate each data source identified in the inventory to assess whether it meets FTC standards for legal personal data sales.
3. Promptly eliminate any data purchases that do not meet FTC legal standards for personal data sales.

“According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to “government contractors for national security purposes.” I have conducted a broad probe of the data broker industry over the past seven years, and I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industrywide, and not limited to this particular data broker.” reads the letter sent to NSA and Defense Department. “The FTC’s order against X-Mode Social should serve as a much-needed wake-up call for the IC. The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, NSA)