Federal agencies buying Americans' internet data challenged by US senators
Maybe we don't want to go with the netflow, man
US government agencies have been buying, to some degree, details of Americans' internet activities from data brokers – and US Senator Ron Wyden (D-OR) wants an explanation.
On Wednesday, Wyden wrote a letter [PDF] to the inspectors general for the Departments of Homeland Security, Defense, and Justice to request that the agency watchdogs look into the warrantless purchase of Americans' internet traffic data.
In America, the Fourth Amendment protects people against unreasonable searches and seizures, which is why law enforcement agencies generally need to obtain a warrant before they can demand data from or about a third-party under investigation. Wyden's concern is that government agencies are flouting the Fourth Amendment by obtaining information from third-party data brokers and bypassing the judicial review process required under the law.
Wyden said he has been investigating the government's purchase of location and web browsing records for several years, but has been stymied by the Pentagon. The Defense Department last year responded to his queries but applied a classification that prevents Wyden from making the details public. And the Democrat senator's efforts to have that restriction removed have been rebuffed.
Despite the defensiveness of the Defense Department, Wyden says that information from a whistleblower and public government contracts show that multiple agencies have purchased access to people's internet traffic metadata. These organizations include US Cyber Command, the Army, the Navy’s Naval Criminal Investigative Service (NCIS), the Defense Counterintelligence and Security Agency, the Defense Intelligence Agency, the Federal Bureau of Investigation, and the US Secret Service.
“According to the whistleblower, NCIS is purchasing access to data, which includes netflow records and some communications content, from Team Cymru, a data broker whose data sales I have previously investigated,” Wyden wrote.
Wyden says public records indicate that NCIS has a contract to use Augury, a subscription service offered by Team Cymru that "provides access to email data ('IMAP/POP/SMTP [packet capture] data') and data about web browser activity ('cookie usage,' 'UserAgent data', and 'URL accessed')."
That is to say, the senator is suggesting that NCIS – yes, it's a real agency, and not made up for television – is purchasing logs of people's intercepted internet traffic that includes not just metadata – such as source and destination IP addresses – but also the contents of some of that data.
A matter of utility
Packet capture or PCAP data can be obtained through network analysis tools; one you can use yourself on your own network is Wireshark. The amount of information available can be extensive and revealing, as these samples show. NetFlow records, which originated with Cisco, are similar and complementary but less detailed.
Wyden claims, based on what he's seen, that Team Cymru's Augury provides access to "petabytes" of data "from over 550 collection points worldwide" and "is updated with at least 100 billion new records each day."
To us, it is certainly possible that Augury – now known under another brand, Team Cymru Pure Signal Recon – can observe at least some internet packets from nodes set up around the globe. The software is supposed to allow customers to study traffic flows of interest, such as communications between infected devices and remote control servers, and identify and monitor IP addresses used for malicious purposes.
If the content of packets is available, it must surely be unencrypted data, such as plain old HTTP that shouldn't really be used in this day and age anyway. Web browsing, email, and other traffic using encrypted protocols including HTTPS, TLS, SSH, and IPsec, should be out of bounds, other than packet metadata such as the IP addresses, timestamps, and network ports involved.
In other words, yes, it's possible for Augury to track the flow of at least some people's internet traffic, but visibility into the content of that data should be limited due to the growing use of encryption. It's a reminder that if you send stuff in plain text over the 'net, just assume someone out there can see it and sell it.
In response to our inquiry, Team Cymru disputed media coverage earlier this week of Wyden's claims and suggested its Augury product does not do what has been alleged – that it reveals just about everything that everyone does online.
The Register asked Team Cymru to comment more specifically on what Wyden has alleged and asked for a demo of the product, and we've not heard back. If anyone who has used Augury and similar tools – there are competitors out there – wants to describe these suites to us, drop us a line.
It's interesting to note that the CEO of Team Cymru, Rabbi Rob Thomas, was until June of this year a board member of the Tor Project, which also used Cymru's hosting for its .org website.
- US border cops harvest info from citizens' phones, build massive database
- US senators seek ban on sale of health location data
- FTC urged to probe Apple, Google for enabling 'intense system of surveillance'
- IRS doesn't completely scrap facial recognition, just makes it optional
Last month, members of the US House Judiciary Committee sent a letter seeking similar information on Uncle Sam's data harvesting to the heads of the Justice Department, the FBI, US Customs and Border Protection, US Immigration and Customs Enforcement, the Drug Enforcement Administration, and the Bureau of Alcohol, Tobacco, Firearms and Explosives.
Previous inquiries of this sort have met with limited success and haven't resulted in any government-wide policy. Last year, J. Russell George, Inspector General of the Treasury Department, responded to an inquiry from Wyden and Senator Elizabeth Warren (D-MA) about the purchase of location data from contractor Venntel by the IRS. He wrote [PDF] that IRS officials believed they did not need a warrant to use Venntel data because "the information available had been voluntarily turned over through individual permissions" in the apps and devices they use.
In other words, Americans have opted-in to surveillance.
George's letter goes on to say that IRS Criminal Investigation "indicated that it is no longer using any cell phone-related data from any vendor because the data proved not to be useful in investigations," and has changed its approach and has incorporated a review into using future investigative tools to determine if this might require a warrant.
Citing the letter last year, Laura Hecht-Felella, a Fellow at Brennan Center for Justice, a non-profit law and policy institute at New York University, called for lawmakers to take action.
"The government’s ability to buy sensitive location information without judicial or legislative oversight upends the time-honored balance of power between the people and the government established by the Fourth Amendment," she wrote in a post last year.
"It creates opportunities for law enforcement monitoring that would otherwise be infeasible due to resource and technical constraints, facilitating unimpeded government surveillance on a massive scale that would have been unimaginable a few decades ago." ®