US defense and intelligence services are buying troves of data about Americans on the open market

By Amber Neely

US intelligence and defense organizations are perhaps operating outside mandates to spy on American citizens by buying a wealth of personal data harvested from smartphones through brokers, and a senator wants the practice stopped.

The U.S. government is a key customer of data brokers

Senator Ron Wyden says in a letter that, thanks to a "legal gray area," US intelligence and the Department of Defense can purchase bulk data about U.S. citizens without their consent. He wants the practice stopped, and the data deleted.

Typically, if a government security agency wants to obtain data about a user's internet activity, they would need to petition developers and internet service providers with a warrant. However, they can avoid issuing warrants by purchasing data from data brokers.

When Senator Wyden asked the Department of Defense to disclose if it also purchased data from brokers, the DOD argued that buying commercially available information (CAI) is legal for the Intelligence Community (IC) do, purely because anyone can.

"I am not aware of any requirement in U.S. law or judicial opinion... that DoD obtain a court order in order to acquire, access, or use information, such as CAI, that is equally available for purchase to foreign adversaries, U.S. companies, and private persons as it is to the U.S. Government," Under Secretary of Defense for Intelligence & Security Ronald S. Moultrie pens in response to Senator Wyden's concerns.

However, Senator Wyden points out that may not be entirely true. As it turns out, the Federal Trade Commission (FTC) took action against a data brokerage company, X Mode Social, in early January. In that case, the FTC argued that the collection and resale of data to the IC is unlawful as it was not obtained through informed consent.

As Senator Wyden notes, the data that the government obtains can be particularly sensitive. It could easily show personally identifiable information such as a person's sexual or gender identity and religious practices. It also can reveal information about an individual's medical history.

"Such records can identify Americans who are seeking help from a suicide hotline or a hotline for survivors of sexual assault or domestic abuse, a visit to a telehealth provider focusing on specific healthcare need, such as those prescribing and delivering abortion pills by mail, or reveal that someone likely suffers from a gambling addiction," Senator Wyden writes.

The FTC argues that it isn't enough for consumers to consent to websites and apps collecting their data. They should also be informed and consent to their data being sold to "government contractors for national security purposes."

Senator Wyden asks the US Director of National Intelligence to ensure that government security agencies audit the data collected, determine what data was obtained illegally, and purge the data as soon as possible.

This isn't the first we've heard of U.S. agencies buying data from data brokers. In October, the Department of Homeland Security confirmed it bought harvested data and used it track and ultimately detain immigrants.