The US National Security Agency (NSA) has admitted buying internet browsing records from data brokers to identify websites and apps used by Americans that would otherwise require a court order, the senator said last week American Ron Wyden.
“The United States government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not only immoral, but illegal,” Wyden said in a letter to Director of National Intelligence (DNI), Avril Haines , as well as urging the government to take steps to “ensure that U.S. intelligence agencies only purchase lawfully obtained data on Americans.”
Metadata about users’ browsing habits can pose a serious privacy risk, as the information could be used to gather personal details about an individual based on the websites they frequent.
This could include websites that offer mental health resources, assistance for survivors of sexual assault or domestic abuse, and telemedicine providers that focus on birth control or abortion medications.
In response to Wyden’s questions, the NSA said it has developed compliance regimes and that it “takes steps to minimize the collection of information on US persons” and “continues to acquire only the most useful data relevant to mission requirements “.
The agency, however, said it does not purchase and use location data collected from phones used in the United States without a court order. It also said that it does not use location information obtained from automotive telematics systems of vehicles located in the country.
Ronald S. Moultrie, Under Secretary of Defense for Intelligence and Security (USDI&S), said that Department of Defense (DoD) components acquire and use commercially available information (CAI) in a manner that “adheres to high privacy and civil liberties protection standards” in support of lawful intelligence or cybersecurity missions.
The revelation is yet another indication that intelligence agencies and law enforcement are purchasing potentially sensitive data from companies that would require a court order to acquire it directly from communications companies. In early 2021, it was revealed that the Defense Intelligence Agency (DIA) was purchasing and using national location data collected from smartphones through commercial data brokers.
The disclosure of the no-guarantee purchase of personal data comes in the aftermath of the Federal Trade Commission (FTC) banning Outlogic (formerly X-Mode Social) and InMarket Media from selling precise location information to its customers without users’ informed consent .
Outlogic, as part of its settlement with the FTC, was also barred from collecting location data that could be used to track people’s visits to sensitive locations such as medical and reproductive clinics, domestic abuse shelters, and places of religious worship .
The purchase of sensitive data from these “shady companies” exists in a legal gray area, Wyden noted, adding that the data brokers who buy and resell this data are not known to consumers, who are often held accountable. It’s unclear who their data is. shared with or where it is used.
Another noteworthy aspect of these shady data practices is that third-party apps that incorporate software development kits (SDKs) from these data brokers and ad tech providers do not warn users about the sale and sharing of data on the location, both for advertising and national purposes. safety.
“According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be informed and agree to have his or her data sold to ‘government contractors for national security purposes,’” the Oregon Democrat said. he said.
“I am not aware of any company that provides such notices to consumers before their data is collected. Therefore, the violation of the law is likely industry-wide and not limited to this particular data broker.”