Challenge Federal Agencies Buying Americans’ Internet Data

To some extent, US government agencies buy details of Americans’ internet activities from data brokers – and US Senator Ron Wyden (D-OR) wants an explanation.

On Wednesday, Wyden wrote a letter [PDF] To the Inspectors General of the Departments of Homeland Security, Defense, and Justice to demand that oversight agencies consider the illegal purchase of Americans’ Internet traffic data.

In America, the Fourth Amendment protects people from unreasonable searches and seizures, which is why law enforcement agencies generally need to obtain a warrant before they can request data from or about a third party under investigation. Wyden’s concern is that government agencies are violating the Fourth Amendment by obtaining information from third-party data brokers and bypassing the judicial review process required by law.

Wyden said he had been investigating the government’s purchase of the site and internet browsing records for several years, but was obstructed by the Pentagon. Last year, the Defense Department responded to his inquiries but applied a designation that prevents Wyden from releasing the details. The Democratic senator’s efforts to remove this restriction were rejected.

Despite the Defense Department’s defensiveness, Wyden says information from whistleblowers and general government contracts shows that many agencies have purchased access to people’s Internet traffic metadata. These organizations include the US Cyber ​​Command, the Army, the Naval Criminal Investigative Service (NCIS), the Defense Counterintelligence and Security Agency, the Defense Intelligence Agency, the Federal Bureau of Investigation, and the US Secret Service.

“According to the whistleblower, NCIS purchases access to data, which includes netflow logs and some communications content, from Team Cymru, the data broker whose data sales I have previously investigated,” Wyden wrote.

Wyden says public records indicate that NCIS has a contract to use Augury, a subscription service offered by Team Cymru that “provides access to email data (‘IMAP/POP/SMTP’). [packet capture] data’) and data about web browser activity (‘Cookie use’, ‘UserAgent data’ and ‘URL accessed’). “

That is, the senator is suggesting that NCIS – yes, it’s a real agency, not a TV one – buys records of people’s intercepted Internet traffic that includes not only metadata – like source and destination IP addresses – but the contents of some of that data.

question of interest

Packet or PCAP data can be obtained through network analysis tools; You can use Wireshark yourself on your own network. The amount of information available can be extensive and revealing, as these samples show. NetFlow logs, which originated with Cisco, are similar and complementary but less detailed.

Wyden claims, based on what he’s seen, that Team Cymru’s Augury provides access to “petabytes” of data “from over 550 collection points around the world” and “is updated with at least 100 billion new records every day.”

For us, it’s certainly possible that Oguri – now known by another brand name, Team Cymru Pure Signal Recon – can at least monitor some internet packets from nodes created around the world. The software is supposed to allow customers to study traffic flows of interest, such as communications between infected machines and remote control servers, and to identify and monitor IP addresses used for malicious purposes.

If the content of the packets is available then surely it should be unencrypted data, like plain old HTTP which really shouldn’t be used in this day and age anyway. Web browsing, email and other traffic using encrypted protocols including HTTPS, TLS, SSH and IPsec should be off limits, other than packet metadata such as IP addresses, timestamps and respective network ports.

In other words, yes, it is possible for Augury to track the flow of at least some people’s Internet traffic, but visibility into the content of that data should be limited by the increasing use of encryption. It’s a reminder that if you send things in plain text over the “network”, just assume someone can see them and sell them.

In response to our inquiry, the Cymru team disputed media coverage earlier this week of Wyden’s claims and suggested that the Augury producer doesn’t do what it’s purported to be – it reveals everything everyone is doing online.

record Team Cymru was asked to comment more specifically on what Wyden claimed and requested a product demo, and we received no response. If anyone who has used Augury and similar tools – there are competitors out there – would like to describe these suites to us, contact us.

It is interesting to note that Team Cymru’s CEO, Rabbi Rob Thomas, was until June of this year a member of the Tor Project’s board of directors, which also used Cymru’s hosting of its .org website.

Last month, members of the US House of Representatives Judiciary Committee sent a letter requesting similar information about Uncle Sam’s data collection to the heads of the Department of Justice, the FBI, US Customs and Border Protection, US Immigration and Customs Enforcement and the Drug Enforcement Administration. Bureau of Alcohol, Tobacco, Firearms and Explosives.

Previous inquiries of this kind have had limited success and have not resulted in any government-wide policy. Last year, J. Russell George, the Treasury Department’s inspector general, responded to an inquiry from Wyden and Senator Elizabeth Warren (D-MA) about the purchase of location data from contractor Venntel by the IRS. he wrote [PDF] That IRS officials believe they do not need an injunction to use Venntel’s data because “the available information was voluntarily delivered through individual permissions” in the apps and devices they use.

In other words, Americans chose to watch.

George’s letter goes on to say that the IRS Criminal Investigations “indicated that it was no longer using any cell phone-related data from any vendor because the data proved to be unhelpful in investigations”, and had changed its approach and included a review in the use of future investigative tools to determine whether this might require a judicial order.

Citing the letter issued last year, Laura Hecht-Vilila, a fellow at the Brennan Center for Justice, a nonprofit institute of law and policy at New York University, called on lawmakers to take action.

“The government’s ability to procure sensitive website information without judicial or legislative oversight upsets the old balance of power between the people and government created by the Fourth Amendment,” she wrote in a publication last year.

“It creates opportunities for law enforcement monitoring that would otherwise be unenforceable due to resource and technology constraints, facilitating unimpeded government surveillance on a scale unimaginable just a few decades ago.” ®

#Challenge #Federal #Agencies #Buying #Americans #Internet #Data

Leave a Comment

Your email address will not be published.