Several military intelligence agencies have paid a data broker to access internet traffic logs that could reveal the online browsing histories of US citizens, Senator Ron Wyden said in a letter on Wednesday, citing an anonymous whistleblower who contacted his office.
At least four agencies within the U.S. Department of Defense, including the Army and Navy, have collectively spent at least $3.5 million ($5 million) on a little-known data surveillance tool reportedly able to gain access to huge swathes of data grant email data and web browsing activity. Team Cymru, the Florida-based cybersecurity company behind the tool, claims its product gives customers a “vast majority of all activity online” and “visibility” into more than 90% of internet traffic.
The previously unknown government procurements, revealed in a Vice report Wednesday, have already set off alarm bells from a prominent U.S. Senator and the American Civil Liberties Union, who told Gizmodo that far too little is known about how the DoD the tool can “reveal extremely sensitive information about who we are and what we read online,” Wyden wrote. At the very least, the purchase represents the latest example of government agencies potentially circumventing constitutional protections by seeking data from shady data brokers and other private companies.
Wyden wrote to the inspectors general for the Departments of Defense, Justice and Homeland Security on Wednesday, urging an investigation into their respective agencies’ purchase of the data. He confirmed that “several government agencies are buying Americans’ data without court approval. ”
Regarding the military, Wyden said a whistleblower called his office who revealed a number of formal complaints had been filed “up and down their chain of command.” Wyden said the complaints implicate the Naval Criminal Investigative Service (NCIS) in deals to obtain netflow data without a warrant.
“According to the whistleblower, NCIS is acquiring access to data, including Netflow records and some communications content, from Team Cymru, a data broker whose data sales I previously investigated,” said Wyden, chair of the Senate Treasury and a longtime member of the Select Intelligence Committee .
Netflow recordings can show which servers users connect to, often revealing specific websites they visit. The logs can also reveal the amount of data sent or received and the duration of a user’s access to a website.
Motherboard first reported in August 2021 that Team Cymru, a threat intelligence company, is working with ISPs to gain access to Netflow recordings. The company told the senator’s office at the time that it had received “netflow data from third parties in exchange for threat intelligence.”
Citing a source who was granted anonymity to speak openly about industry practices, Motherboard reported that Team Cymru’s customers were given access to a data set they could “run queries against virtually any IP to see the netflows to and from.” from this IP over a certain point time.”
These reportedly include the ability to track traffic over virtual private networks (VPN), services used by some users to browse the web more privately.
According to Wyden, government procurement records have confirmed the military’s use of a tool called Augury, which yields “petabytes” of network data “from over 500 collection points worldwide.” At least “100 billion new records” are collected every day, including email and web browsing data.
Wyden said the tool is offered by contractor Argonne Ridge Group, which has “the same corporate address” as Team Cymru, with whom Argonne also has “overlapping corporate leaders.” He added that records show Argonne has contracts with the US Cyber Command, the Army, the Federal Bureau of Investigation and the US Secret Service.
The letter also names the Defense Intelligence Agency, the Defense Counterintelligence and Security Agency and the US Customs and Border Protection (CBP). Wyden’s investigation into government purchases is ongoing.
The revelations sparked concern from leading rights groups including the American Civil Liberties Union, which told Gizmodo that more transparency was needed to understand how government agencies were using this information.
“Web browsing records can reveal extremely sensitive information about who we are and what we read online,” Patrick Toomey, associate director of the ACLU National Security Project, said in an email to Gizmodo. “We need to know a lot more about how military and law enforcement agencies are exploiting their unauthorized access to our private information.”
CBP and FBI spokespeople did not immediately respond to a request for comment. A military spokesman is directing all questions to the Department of Defense’s inspector general’s office. We are waiting for an answer.
The news comes as several federal lawmakers work to investigate the U.S. government’s acquisition of data that agencies would otherwise require a warrant to obtain. Last month, two leading House Democrats — Representatives Jerrold Nadler and Bennie Thompson — asked the FBI and DHS to disclose details of alleged data purchases that reveal users’ Internet browsing activity and exact locations.
While a 2018 Supreme Court ruling found that the government cannot acquire sensitive location data without a warrant, several government agencies are accused of narrowly interpreting the decision and excluding data that — rather than being required — is being acquired commercially. In other words, the government is literally buy around the Fourth Amendment.
Federal agencies aren’t the only ones doing this. On Friday, Rep. Anna Eshoo asked the Federal Trade Commission to investigate newly uncovered police software called Fog Reveal that allows law enforcement to map the movements of Americans “months back in time.” This service does not rely on Netflow data, instead it relies on location data allegedly sourced from hundreds of consumer apps for advertising purposes.
“Consumers don’t realize that if they download and use free apps on their phones, they may be violating their Fourth Amendment rights,” Eshoo said. “It would be hard to imagine consumers agreeing to this if they actually had the opportunity, but this is functionally what’s happening.”
Editor’s note: The release dates in this article are for the US, but will be updated with local Australian dates once we know more.