NSA Buying Logs From Data Brokers
Charlie Savage (via Hacker News):
The National Security Agency buys certain logs related to Americans’ domestic internet activities from commercial data brokers, according to an unclassified letter by the agency.
The letter, addressed to a Democratic senator and obtained by The New York Times, offered few details about the nature of the data other than to stress that it did not include the content of internet communications.
Still, the revelation is the latest disclosure to bring to the fore a legal gray zone: Intelligence and law enforcement agencies sometimes purchase potentially sensitive and revealing domestic data from brokers that would require a court order to acquire directly.
[…]
In a letter to the director of national intelligence dated Thursday, the senator, Ron Wyden, Democrat of Oregon, argued that “internet metadata” — logs showing when two computers have communicated, but not the content of any message — “can be equally sensitive” as the location data.
The NSA for years has been intercepting phone metadata and internet communications through bulk data collection programs under Section 702 of the US Foreign Intelligence Surveillance Act. The rules are supposed to target foreign threats beyond America’s borders, yet communications between US persons and foreign nationals get captured as part of this process.
The acquisition of Americans’ personal data is even easier. This personal information flows from web and native apps on people’s devices to app makers and their marketing partners, and then to data brokers who sell it on to others, and it can be had by Uncle Sam’s agents without a warrant.
[…]
But recent action by the US Federal Trade Commission suggests that buying and selling of unlawfully obtained data will no longer be tolerated. The gray area has been repainted as a red line.
Buying domestic data from data brokers is just something the government does all the time. Bypassing restraints enacted by the Supreme Court, federal agencies (along with local law enforcement agencies) are hoovering up whatever domestic data they can from private companies all too happy to be part of the problem.
Sure, the government can pretend the Third Party Doctrine applies here. But chances are that most of this data being collected by phone apps and other services isn’t being collected with the full knowledge of device users. This is the sort of thing that’s hidden in the deep end of Terms of Use boilerplate, suckering people out of all kinds of data because they made the mistake of assuming a seemingly-innocuous match-3 game wouldn’t attempt to ping their phone’s location and tie it to specific device IDs.
This is almost certainly illegal, although the NSA maintains that it is legal until it’s told otherwise.
Hundreds of thousands of ordinary apps, including popular ones such as 9gag, Kik, and a series of caller ID apps, are part of a global surveillance capability that starts with ads inside each app, and ends with the apps’ users being swept up into a powerful mass monitoring tool advertised to national security agencies that can track the physical location, hobbies, and family members of people to build billions of profiles, according to a 404 Media investigation.
Via Nick Heer:
It does not seem possible to know for sure whether Patternz really processes ninety terabytes of data daily (PDF), for example, but the company claims it creates a direct link between online advertising networks and global surveillance for intelligence agencies. It does not sound far fetched.
[…]
Even if you believe targeted advertising is a boon for publishers — something which seems increasingly hard to justify — it has turned the open web into the richest and most precise spyware the world has ever known. That is not the correct trade-off.
Probably worth keeping an eye on a case in California’s Northern District, filed in 2021, which alleges the privacy problems of Google’s real-time bidding system amount to a contract breach.
The CFPB’s rules align with a key security idea: the decoupling principle. By separating which companies see what parts of our data, and in what contexts, we can gain control over data about ourselves (improving privacy) and harden cloud infrastructure against hacks (improving security). Officials at the CFPB have described the new rules as an attempt to accelerate a shift toward “open banking,” and after an initial comment period on the new rules closed late last year, Rohit Chopra, the CFPB’s director, has said he would like to see the rule finalized by this fall.
Right now, uncountably many data brokers keep tabs on your buying habits. When you purchase something with a credit card, that transaction is shared with unknown third parties. When you get a car loan or a house mortgage, that information, along with your Social Security number and other sensitive data, is also shared with unknown third parties. You have no choice in the matter. The companies will freely tell you this in their disclaimers about personal information sharing: that you cannot opt-out of data sharing with “affiliate” companies. Since most of us can’t reasonably avoid getting a loan or using a credit card, we’re forced to share our data. Worse still, you don’t have a right to even see your data or vet it for accuracy, let alone limit its spread.
The CFPB’s simple and practical rules would fix this. The rules would ensure people can obtain their own financial data at no cost, control who it’s shared with and choose who they do business with in the financial industry. This would change the economics of consumer finance and the illicit data economy that exists today.
Previously:
- Governments Using Push Notifications to Surveil Users
- Data Analytical Services (DAS)
- ODNI Report on Commercially Available Information
- WhatsApp More Private Than iMessage
- Cell Carriers Sold Location Data to Bounty Hunters
Update (2024-02-05): Jordan Rose:
I don’t really get why the proposal is “it should be illegal for the government to buy this” rather than “it should be illegal for companies to sell it”. Even if the latter never gets passed because of regulatory capture, can’t it at least be the starting point?
