US government agencies have, to some extent, bought details of Americans’ Internet activities from data brokers – and US Senator Ron Wyden (D-OR) wants an explanation.
Wyden wrote a letter on Wednesday [PDF] to the inspectors general of the Departments of Homeland Security, Defense and Justice to demand that the agency’s watchdogs investigate Americans’ illegal purchase of Internet traffic data.
In America, the Fourth Amendment protects people from unreasonable searches and seizures, so law enforcement agencies typically must obtain a search warrant before they can request information from or about a third party under investigation. Wyden’s concern is that government agencies are flouting the Fourth Amendment by soliciting information from third-party data brokers and bypassing the judicial review process required by law.
Wyden said he had been investigating the government’s purchase of location and web browsing records for several years, but had been obstructed by the Pentagon. The Department of Defense responded to its inquiries last year but applied a classification that prevents Wyden from releasing the details. And the Democratic senator’s efforts to get that restriction lifted have been rebuffed.
Despite the Defense Department’s defensiveness, Wyden says information from a whistleblower and public government contracts show several agencies have acquired access to metadata about people’s Internet traffic. These organizations include the US Cyber Command, the Army, the Navy’s Naval Criminal Investigative Service (NCIS), the Defense Counterintelligence and Security Agency, the Defense Intelligence Agency, the Federal Bureau of Investigation, and the US Secret Service.
“According to the whistleblower, NCIS is acquiring access to data, including Netflow records and some communications content, from Team Cymru, a data broker whose data sales I previously investigated,” Wyden wrote.
According to Wyden, public records indicate that NCIS has a contract to use Augury, a subscription service offered by Team Cymru that provides “access to email data (‘IMAP/POP/SMTP [packet capture] data’) and data about web browser activity (‘Cookie Usage’, ‘UserAgent Data’ and ‘URL Accessed’).”
That said, the senator is proposing that NCIS — yes, it’s a true agency and not a replacement for television — buys logs of people’s intercepted Internet traffic that not only contain metadata — like source and destination IP addresses — but also the content of some of this data.
A question of utility
Packet capture or PCAP data can be obtained via network analysis tools; One that you can use yourself on your own network is Wireshark. The amount of information available can be vast and insightful, as these examples show. NetFlow records originating from Cisco are similar and complementary, but less detailed.
Wyden claims, based on what he’s seen, that Team Cymrus Augury provides access to “petabytes” of data “from over 550 collection sites worldwide” and is “updated with at least 100 billion new records every day.”
It’s entirely possible for us that Augury – now known by a different brand, Team Cymru Pure Signal Recon – can observe at least some internet packets from nodes deployed around the globe. The software is said to allow customers to examine interesting traffic flows, such as communication between infected devices and remote control servers, and to identify and monitor IP addresses used for malicious purposes.
If the content of packets is available, it certainly has to be unencrypted data, such as plain old HTTP, which shouldn’t be used in this day and age anyway. Web browsing, email, and other traffic that uses encrypted protocols such as HTTPS, TLS, SSH, and IPsec should be blocked except for packet metadata such as IP addresses, timestamps, and network ports involved.
In other words, yes, it is possible for Augury to track the flow of internet traffic of at least some people, but the visibility of the content of this data should be limited due to the increasing use of encryption. It’s a reminder that if you’re sending things over the internet in clear text, just assume someone out there can see and sell them.
In response to our inquiry, Team Cymru earlier this week denied media coverage of Wyden’s claims and suggested that its Augury product doesn’t do what was claimed – that it reveals pretty much everything everyone does online.
The registry asked Team Cymru to elaborate on Wyden’s claims and requested a demo of the product, and we have received no response. If anyone who has used Augury and similar tools – there are competitors out there – would like to describe these suites to us, write to us.
It’s interesting to note that until June of this year, Team Cymru’s CEO, Rabbi Rob Thomas, was a board member of the Tor project, which also used Cymru’s hosting for its .org website.
Last month, members of the US House Judiciary Committee sent a letter requesting similar information about Uncle Sam’s data collection to heads of the Justice Department, FBI, US Customs and Border Protection, US Immigration and Customs Enforcement, the Drug Enforcement Administration and the Bureau of Alcohol, Tobacco, Firearms and Explosives.
Previous investigations of this type have had limited success and have not resulted in government-wide policy. Last year, Treasury Department Inspector General J. Russell George responded to a request from Wyden and Senator Elizabeth Warren (D-MA) about the IRS’s purchase of location data from contractor Venntel. He wrote [PDF] that IRS officials believed they did not need a search warrant to use Venntel data because “the available information was voluntarily shared through individual permissions” in the apps and devices they use.
In other words, Americans have chosen surveillance.
George’s letter goes on to say that the IRS Criminal Investigation “has indicated that it is no longer using cellphone-related data from any carrier because the data has not been found to be useful for investigations” and has changed its approach and included a review has use of future investigative tools to determine whether this may require a search warrant.
Laura Hecht-Felella, a fellow at the Brennan Center for Justice, a nonprofit law and policy institute at New York University, cited last year’s letter and urged lawmakers to take action.
“The government’s ability to buy sensitive location information without judicial or legal oversight upsets the time-honoured balance of power between the people and the government established by the Fourth Amendment,” she wrote in a post last year.
“It creates opportunities for law enforcement surveillance that would otherwise be unfeasible due to resource and technical limitations, and facilitates unhindered government surveillance on a massive scale that would have been unthinkable a few decades ago.” ®