Start your day with intelligence. Get The OODA Daily Pulse.
Recent news reporting revealed that the National Security Agency (NSA) had been purchasing American citizens’ Internet browsing information from commercial brokers without a legal warrant. This revelation came out when the NSA director had written a response to a U.S. Senator that made it public, calling upon U.S. intelligence to cease using such personal data without the express knowledge and consent of Americans. In his own letter to the Director of National Intelligence, the Senator said that the government should not be financially invested in “a shady industry whose flagrant violations of Americans’ privacy are not just unethical, but illegal.” What’s perhaps most interesting about this disclosure is the fact that the Senator had spent the past three years to bring this information to public light, according to the Senator’s website.
Perhaps more troubling is that the NSA is not alone, and this practice is likely being utilized by other intelligence agencies that have an intelligence collection mission. For example, the same Senator revealed that the Defense Intelligence Agency had been buying location data collected from the smartphones of Americans. Per this news report, the DIA may have searched for the movements of U.S. persons within a commercial database in at least five investigations the Agency had conducted over a span of nearly three years. While this seems strange for a military organization whose intelligence mission is charged with the “collection and analysis of military-related foreign political, economic, industrial, geographic, and medical and health intelligence,” it may not be that out of place depending on what it was doing. The Department of Defense (DoD) maintains policies regarding this activity in its policy DoD 5240.1-R, which provides specific guidance on the matter. In 2023, the Federal Bureau of Investigation finally admitted to engaging in the same practice in the past, buying location data of U.S. citizens without a warrant, though it said it did not do it anymore.
Other intelligence agency components have also been alleged to conduct such activities that have collected information on U.S. citizens, which seem to fall out of their primary focus and responsibilities. The NSA has been called out for its perceived involvement in conducting mass surveillance via the Foreign Intelligence Surveillance Act (FISA), which essentially gives permission for the government to execute warrantless surveillance of U.S. persons’ international communications (including calls, texts, emails, social media, Internet browsing). This is worrisome given the two programs that the Snowden leaks exposed involving the breadth and scale of these activities. Ostensibly, Section 702 of FISA, which grants these authorities, has been expanding over time, meaning that more and more Americans data is being trapped. Even the government acknowledged that in 2011, this surveillance enabled the retention of more than 250 million Internet communications. This authority is particularly worrisome when pointed internally where it can be used to examine private communications of Americans the government is investigating without a warrant. While some in the government say that such data collection is inadvertent and incidental, it does lead one to question what is done with the collected information.
Now with this latest revelation of purchasing commercially available information (CAI), it appears that intelligence agencies are now leveraging the technologies and services of data brokers to bolster their collection efforts. As defined by a recent White House Executive Order, CAI is defined as “any information or data about an individual or group of individuals, including an individual’s or group of individuals’ device or location, that is made available or obtainable and sold, leased, or licensed to the general public or to governmental or non-governmental entities.” And since this data is collected by private sector entities and available for sale, it seems to operate in a thick gray area with respect to if intelligence agencies are operating ethically and within their responsibilities. As one cybersecurity news source pointed out, this practice is another example that intelligence and law enforcement entities are obtaining “sensitive data from private companies that otherwise would necessitate a court order to acquire directly from communication companies.”
Data brokers collect and aggregate information from a variety of sources; processes it to enrich, cleanse or analyze it; and licenses it to other organizations. They essentially do all the legwork in tracking down sensitive though obtainable information and providing one stop-shopping for interested buyers and can include but is not limited to such data as current and past addresses, associated phone numbers, email accounts, social media, wealth worth estimates, real estate purchases, court records, and employment history. In other words, it is the very type of information that should be protected and can be exploited and weaponized by actors. Anyone can do a one-time purchase of an individual’s full records can cost as little as one dollar for a single report. The amount that a government agency has the fiscal resources to acquire is quite staggering.
To be fair, the NSA responded to the Senator by citing the compliance measures it had taken to “minimize” the collection of U.S. person information, obtaining only mission critical data, and does not purchase location data from phones without a court order. One senior DoD official said that Defense components used CAI in a way consistent of privacy and civil liberties protections. The official also said that he was unaware of any requirement in U.S. law mandating the acquisition of a court order to purchase CAI that any other organization or person, foreign or otherwise, is able purchase.
While such responses may be valid from a legal perspective, this raises the question if such information should be made available in the first place, given the nature of how this data is used and exploited, and why laws like Europe’s General Data Protection Regulation are becoming increasingly vital legal tools to curbing the gross abuse of civil liberties by governments. This does little to instill trust in a public that sees government entities would rather ask for forgivingness after the fact rather than ask for permission up front. More importantly, it brings necessary attention to how some agencies are willing to operate, engaging in questionable ethical activities that aren’t expressly prohibited to them by the law. It also suggests that laws need to be amended to reflect this perception and constrain such activities in the future.
“Trust us” is no longer an acceptable response from the very government entities sworn to protect the people of the country. Whether accidental or not, collective private citizen data needs to be explained, and cannot be swept under the carpet of “national security.” There have been far too many exposures of government overreach that demand transparency with how private citizen data is required to do national security activities. This means showing your work, not so much how the data is collected, but what’s being done after its collection. This should be no problem especially if the collection is accidental, as is typically purported by intel and law enforcement officials. Citizens should have the right to know how their information that they did not give consent to be collected is handled, retained, and destroyed. If the government ever expects to regain the trust and confidence of the public, it needs to demonstrate an act of good faith. It can start by showing that it puts its citizens first.