Multiple military intelligence offices have paid a data broker for access to internet traffic logs, which could reveal the online browsing histories of U.S. citizens, Sen. Ron Wyden said in a letter Wednesday, citing an anonymous whistleblower that had contacted his office.
At least four agencies within the United States Department of Defense, including the Army and Navy, have collectively spent at least $3.5 million on a little-known data monitoring tool with the reported ability to provide access to vast swaths of email data and web browsing activity. Team Cymru, the Florida-based cybersecurity firm behind the tool, claims its product provides customers with a “super majority of all activity on the internet” and “visibility” into more than 90% of internet traffic.
The previously unknown government procurements, revealed in a Wednesday Vice report, have already triggered alarm bells from a prominent U.S. Senator and the American Civil Liberties Union, which told Gizmodo there’s still far too little known about how the DoD’s making use of the tool which can “reveal extremely sensitive information about who we are and what we’re reading online,” Wyden wrote. At the very least, the purchase represents the latest example of government agencies potentially finessing their way around constitutional protections by seeking out data from shady data brokers and other private firms.
Wyden wrote Wednesday to the inspectors general at the Departments of Defense, Justice, and Homeland Security, urging an investigation of their respective agencies’ purchase of the data, saying he had confirmed that “multiple government agencies are purchasing Americans’ data without judicial authorization.”
With regard to the military, Wyden said a whistleblower had come forward to his office who had revealed that a series of formal complaints had been filed “up and down their chain of command.” According to Wyden, the complaints implicate the Naval Criminal Investigative Service (NCIS) in deals to obtain netflow data without a warrant.
“According to the whistleblower, NCIS is purchasing access to data, which includes netflow records and some communications content, from Team Cymru, a data broker whose data sales I have previously investigated,” said Wyden, the Senate Finance chair and longtime member of the Select Intelligence Committee.
Netflow records can reveal which servers users connect to, often thereby revealing specific websites they visit. The logs may also reveal the volume of data sent or received, and how long a user accessed a site.
Motherboard first reported in Aug. 2021 that Team Cymru, a threat intelligence firm, was working with internet service providers to obtain access to netflow records. The company informed the senator’s office at the time that it obtained “netflow data from third parties in exchange for threat intelligence.”
Citing a source granted anonymity to speak candidly about industry practices, Motherboard reported that Team Cymru’s clients were given access to a dataset, through which they could “run queries against virtually any IP to pull the netflows to and from that IP over a given point in time.”
This reportedly includes the ability to follow traffic through virtual private networks (VPN), services used by some users to browse the internet more privately.
According to Wyden, public contracting records have confirmed the military’s use of a tool called Augury, which provides “petabytes” of network data “from over 500 collection points worldwide.” At least “100 billion new records,” are collected each day, including email and web browsing data.
Wyden said the tool is offered by the contractor Argonne Ridge Group, which shares “the same corporate address” as Team Cymru, with which Argonne also has “overlapping corporate officers.” He added that records show Argonne has secured contracts with U.S. Cyber Command, the Army, the Federal Bureau of Investigation and the U.S. Secret Service.
The Defense Intelligence Agency, Defense Counterintelligence and Security Agency, and U.S. Customs and Border Protection (CBP) are also named in the letter. Wyden’s investigation of the government’s purchases is ongoing.
The revelations sparked concern from leading rights groups like the American Civil Liberties Union, which told Gizmodo that greater transparency is needed to understand just how government agencies are using this information.
“Web-browsing records can reveal extremely sensitive information about who we are and what we’re reading online,” Patrick Toomey, Deputy Director of the ACLU National Security Project, said in an email to Gizmodo. “We need to know far more about how military and law enforcement agencies are exploiting their warrantless access to our private information.”
In an email, a Team Cymru spokesperson claimed that the news reports about its government contracts are “false and misleading,” and said the “allegations” concerning its software’s capabilities are “baseless.” (The spokesperson did not specify which claims they believe are false, nor provide any further details about its product to correct the record.)
Spokespersons for CBP and the FBI did not immediately respond to a request for comment. A military spokesperson is directing all questions to the DoD’s inspector general’s office. We are awaiting a response.
The news comes as several federal lawmakers are working to investigate the U.S. government’s acquisition of data that agencies would otherwise require a warrant to obtain. Last month, two top Democrats in the House of Representatives — Reps. Jerrold Nadler and Bennie Thompson — demanded the FBI and DHS disclose details of alleged data purchases that revealing internet browsing activity and users’ precise locations.
While a Supreme Court decision in 2018 held that the government cannot acquire sensitive location data without a warrant, several government agencies are accused of choosing to interpret the decision narrowly, exempting data that — rather than being demanded — is commercially acquired. In other words, the government is literally buying its way around the Fourth Amendment.
Federal agencies are not the only ones doing so. On Friday, Rep. Anna Eshoo asked the Federal Trade Commission to investigate newly revealed police software, known as Fog Reveal, which allows law enforcement agencies to map the movements of Americans “months back in time.” That service relies not on netflow data, but location data culled from hundreds of consumer apps, purportedly for advertising purposes.
“Consumers do not realize that they are potentially nullifying their Fourth Amendment rights when they download and use free apps on their phones,” Eshoo said. “It would be hard to imagine consumers consenting to this if actually given the option, yet this is functionally what occurs.”
Update 9:45 p.m.: Added a comment from Team Cymru.