The National Security Agency buys certain logs related to Americans’ domestic internet activities from commercial data brokers, according to an unclassified letter by the agency.
The letter, addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications.
Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly.
It comes as the Federal Trade Commission has started cracking down on companies that trade in personal location data that was gathered from smartphone apps and sold without people’s knowledge and consent about where it would end up and for what purpose it would be used.
In a letter to the director of national intelligence dated Thursday, the senator, Ron Wyden, Democrat of Oregon, argued that “internet metadata” — logs showing when two computers have communicated, but not the content of any message — “can be equally sensitive” as the location data the F.T.C. is targeting.
He urged intelligence agencies to stop buying internet data about Americans if it was not collected under the standard the F.T.C. has laid out for location records.
“The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal,” Mr. Wyden wrote.
A representative for the national intelligence director, Avril D. Haines, did not respond to a request for comment.
The N.S.A. made its specific disclosure under pressure in a letter that its departing director, Gen. Paul M. Nakasone, sent last month to Mr. Wyden. In November, the senator placed a hold on President Biden’s nominee to be the next agency director, Lt. Gen. Timothy D. Haugh, to prevent the Senate from voting on his confirmation until the agency publicly disclosed whether it was buying the location data and web browsing records of Americans.
In the letter, General Nakasone wrote that his agency had decided to reveal that it buys and uses various types of commercially available metadata for its foreign intelligence and cybersecurity missions, including netflow data “related to wholly domestic internet communications.”
Netflow data generally means internet metadata that shows when computers or servers have connected but does not include the content of their interactions. Such records can be generated when people visit different websites or use smartphone apps, but the letter did not specify how detailed the data is that the agency buys.
Asked to clarify, an N.S.A. official provided a statement that said that the agency purchases commercially available netflow data for its cybersecurity mission of trying to detect, identify and thwart foreign hackers. It stressed that “at all stages, N.S.A. takes steps to minimize the collection of U.S. person information,” including by using technical means to filter it.
The statement added that it limited its netflow data to internet communications in which one side is a computer address inside the United States “and the other side is foreign, or where one or both communicants are foreign intelligence targets, such as a malicious cyberactor.”
While General Nakasone also acknowledged that some of the data the N.S.A. purchases is “associated with electronic devices being used outside — and, in certain cases, inside — the United States,” he said that the agency did not buy domestic location information, including from phones or internet-linked cars known to be in the country.
Mr. Wyden, a longtime privacy advocate and surveillance skeptic who has access to classified information as a member of the Senate Intelligence Committee, has proposed legislation that would bar the government from purchasing data about Americans that it would otherwise need a court order to obtain.
In early 2021, he obtained a memo revealing that the Defense Intelligence Agency buys commercially available databases containing location data from smartphone apps and had searched it several times without a warrant for Americans’ past movements. The senator has been trying to persuade the government to publicly disclose more about its practices.
The correspondence with Mr. Wyden, a portion of which was redacted as classified, strongly suggested that other arms of the Defense Department also buy such data.
Law enforcement and intelligence agencies outside the Defense Department also purchase data about Americans in ways that have drawn mounting scrutiny. In September, the inspector general of the Department of Homeland Security faulted several of its units for buying and using smartphone location data in violation of privacy policies. Customs and Border Protection has also indicated that it would stop buying such data.
Another letter to Mr. Wyden, by Ronald S. Moultrie, the under secretary of defense for intelligence and security, said that acquiring and using such data from commercial brokers was subject to various safeguards.
He said the Pentagon used the data lawfully and responsibly to carry out its various missions, including detecting hackers and protecting American service members. There is no legal bar to buying data that was “equally available for purchase to foreign adversaries, U.S. companies and private persons as it is to the U.S. government,” he added.
But in his own letter to Ms. Haines, Mr. Wyden urged intelligence agencies to adjust their practices, pointing to the Federal Trade Commission’s recent crackdown on companies that sell personal information.
This month, the F.T.C. banned a data broker formerly known as X-Mode Social from selling locational data as part of a first-of-its kind settlement. The agreement established that the agency considers trading location data — which was collected without the consent of consumers that it would be sold to government contractors for national security purposes — to be a violation of a provision of the Federal Trade Commission Act that bars unfair and deceptive practices.
And last week, the F.T.C. unveiled a proposed settlement with another data aggregator, InMarket Media, that bars it from selling precise location data if it did not fully inform customers and obtain their consent — even if the government is not involved.
While the N.S.A. does not appear to buy data that includes location information, Mr. Wyden argued that internet metadata can also reveal sensitive things — like whether a person is visiting websites about counseling related to topics like suicide, substance abuse or sexual abuse, or other private matters, such as if someone is seeking mail-order abortion pills.
In his letter, he wrote that the action against X-Mode Social should be a warning to the intelligence community and asked that Ms. Haines “take action to ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.”