Earlier this month, the National Security Agency (NSA) acknowledged that it purchases certain logs related to Americans’ domestic internet activities from commercial data brokers. This information came to light in an unclassified letter addressed to a Democratic senator and obtained by The New York Times. While the letter offered limited details about the nature of the data, it emphasized that the content of internet communications was not included.
This revelation highlights a legal gray area where intelligence and law enforcement agencies buy potentially sensitive domestic data from brokers—data that would typically require a court order to obtain directly. The disclosure coincides with the Federal Trade Commission (FTC) beginning to crack down on companies that trade in personal location data gathered from smartphone apps, often without users’ knowledge or consent regarding where the data would end up or how it would be used.
In a letter dated Thursday to the Director of National Intelligence, Senator Ron Wyden, a Democrat from Oregon, argued that “internet metadata”—logs showing when two computers have communicated, but not the content of any messages—can be just as sensitive as the location data the FTC is targeting. He urged intelligence agencies to stop purchasing internet data about Americans if it was not collected under the standards the FTC has established for location records.
“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Senator Wyden wrote.
A representative for Avril D. Haines, the Director of National Intelligence, did not respond to a request for comment.
The NSA disclosed its practices under pressure in a letter that its departing director, General Paul M. Nakasone, sent last month to Senator Wyden. In November, the senator had placed a hold on President Biden’s nominee to be the next agency director, Lieutenant General Timothy D. Haugh, preventing the Senate from voting on his confirmation until the agency publicly disclosed whether it was buying the location data and web browsing records of Americans.
In his letter, General Nakasone wrote that the NSA had decided to reveal that it purchases and uses various types of commercially available metadata for its foreign intelligence and cybersecurity missions, including netflow data related to wholly domestic internet communications. Netflow data generally refers to internet metadata that shows when computers or servers have connected but does not include the content of their interactions. Such records can be generated when people visit different websites or use smartphone apps, but the letter did not specify the level of detail in the data the agency buys.
An NSA official clarified that the agency purchases commercially available netflow data for its cybersecurity mission of detecting, identifying, and thwarting foreign hackers. The official emphasized that “at all stages, NSA takes steps to minimize the collection of U.S. person information,” including using technical means to filter it. The agency limits its netflow data to internet communications where one side is a computer address inside the United States and the other side is foreign, or where one or both parties are foreign intelligence targets, such as malicious cyber actors.
While General Nakasone acknowledged that some of the data the NSA purchases is associated with electronic devices being used outside—and, in certain cases, inside—the United States, he stated that the agency does not buy domestic location information, including from phones or internet-connected cars known to be in the country.
Senator Wyden, a longtime privacy advocate and surveillance skeptic who has access to classified information as a member of the Senate Intelligence Committee, has proposed legislation that would bar the government from purchasing data about Americans that it would otherwise need a court order to obtain. In early 2021, he obtained a memo revealing that the Defense Intelligence Agency buys commercially available databases containing location data from smartphone apps and had searched them several times without a warrant for Americans’ past movements. The senator has been pushing for the government to publicly disclose more about its practices.
Correspondence with Senator Wyden, parts of which were redacted as classified, strongly suggested that other parts of the Defense Department also purchase such data. Law enforcement and intelligence agencies outside the Defense Department have similarly been buying data about Americans in ways that have drawn increasing scrutiny. In September, the inspector general of the Department of Homeland Security criticized several of its units for buying and using smartphone location data in violation of privacy policies. Customs and Border Protection has also indicated that it would stop purchasing such data.
Another letter to Senator Wyden from Ronald S. Moultrie, the Under Secretary of Defense for Intelligence and Security, stated that acquiring and using such data from commercial brokers was subject to various safeguards. He said the Pentagon used the data lawfully and responsibly to carry out its missions, including detecting hackers and protecting American service members. There is no legal barrier to buying data that is “equally available for purchase to foreign adversaries, U.S. companies, and private persons as it is to the U.S. government,” he added.
However, in his own letter to Ms. Haines, Senator Wyden urged intelligence agencies to adjust their practices, pointing to the Federal Trade Commission’s recent crackdown on companies that sell personal information. This month, the FTC banned a data broker formerly known as X-Mode Social from selling location data as part of a first-of-its-kind settlement. The agreement established that the agency considers trading location data—which was collected without consumers’ consent that it would be sold to government contractors for national security purposes—a violation of a provision of the Federal Trade Commission Act that prohibits unfair and deceptive practices.
Last week, the FTC unveiled a proposed settlement with another data aggregator, InMarket Media, that bars it from selling precise location data if it did not fully inform customers and obtain their consent—even if the government is not involved.
While the NSA does not appear to buy data that includes location information, Senator Wyden argued that internet metadata can also reveal sensitive information—such as whether a person is visiting websites about counseling related to suicide, substance abuse, sexual abuse, or other private matters like seeking mail-order abortion pills. In his letter, he wrote that the action against X-Mode Social should serve as a warning to the intelligence community and asked Ms. Haines to “take action to ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.”