from the haystacks-at-wholesale-prices dept
Everyone’s got a hunger for data. Constitutional rights sometimes prevent those with a hunger from serving themselves. But when they’ve got third parties on top of third parties, all Fourth Amendment bets are off. Data brokers are getting rich selling government agencies the data they want at low, low prices, repackaging information gathered from other third parties into tasty packages that give US government agencies the data they want with the plausible deniability they need.
Relying on the third-party doctrine that mostly ignores the Fourth Amendment and the public claims of data brokers that the massive amount of data being hawked to willing buyers cannot, in and of itself, positively ID anyone, federal agencies are amassing haystacks without having to worry too much about upsetting the probable cause cart.
Who’s grabbing all this data from data brokers? Well, it’s DC’s heaviest hitters, including ICE, CBP, the FBI, IRS, Secret Service, and — according to this report from Joseph Cox for Motherboard — the Department of Defense.
Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard.
The report is drawn from the information revealed by Senator Ron Wyden in his letter [PDF] to the Inspectors General of the FBI and DHS, as well as (most relevantly here) the Defense Department’s oversight.
The material reveals the sale and use of a previously little known monitoring capability that is powered by data purchases from the private sector. The tool, called Augury, is developed by cybersecurity firm Team Cymru and bundles a massive amount of data together and makes it available to government and corporate customers as a paid service.
As Cox points out, there are non-privacy violating uses for this data. Analysts and security researchers use this treasure trove to track malicious hackers and/or do due diligence for cyberattack attribution.
How the US military utilizes this data is unknown. Much of it appears to be foreign-facing, which means most collections won’t raise constitutional eyebrows. The procurement record shows the Defense Department is particularly interested in accessing data from collection points around the world, including those found in Europe, the Middle East, Africa, and Asia. But the procurement request also notes the data accessed might originate in North America, which is where plenty of US citizens reside.
Even if the Defense Department makes an effort to steer clear of US persons’ data, there’s no way Team Cymru can guarantee the military won’t end up with plenty of local data in its possession. Its (defensive) statements in response to questions from Motherboard suggests that by the time the data is packaged for sale, the company doing the harvesting (either directly or indirectly) doesn’t have much insight into its country of origin.
“Our platform does not provide user or subscriber information, and it doesn’t provide results that show any pattern of life, preventing its ability to be used to target individuals. Our platform only captures a limited sampling of the available data, and is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same. Results are then further limited in the scope and volume of what’s returned,” Team Cymru said in another email.
If the platform truly laundered data into near-obscurity, it would be useless to those seeking it. So, either Team Cymru is relying on things unsaid to imply it isn’t helping federal agencies bypass constitutional protections, or it’s providing a service that asks end users to do all the analytic heavy lifting. It seems unlikely federal agencies (which include the FBI and DHS) would pay good money for access to a bunch of data that can’t be used to observe “patterns of life” or otherwise assist in pulling needles from Augury’s haystacks.
And a *lot* of money has been spent. Wyden’s letter notes the DoD has been evasive when asked direct questions by the senator.
While I have been able to make public important details about government agencies’ purchase of location data, my efforts to probe and shed light on the government’s purchase of internet browsing records have been frustrated by the Pentagon.
After DOD refused to release this information without restrictions, my staff learned that public contract information had been posted online, showing that multiple DoD agencies purchased data from data brokers that reveal internet browsing history: The Defense Counterintelligence and Security Agency spent more than $2 million purchasing access to netflow data, and the Defense Intelligence Agency purchased Domain Name System data. My office asked DOD to re-review their decision to maintain the CUI restrictions on the written answers DOD had previously provided, in light of these public contracts. DOD yet again refused, on May 25, 2022.
The Defense Department appears very reluctant to discuss its $2 million contract that allows it to hook itself up to Team Cmyru’s firehose. Rest assured, these government dollars are not being misspent. The DoD is definitely getting what it paid for.
Public contracting records confirm that the Augury tool provides access to “petabytes” of network data “from over 550 collection points worldwide” and “is updated with at least 100 billion new records each day.” The contracting records also confirm that Augury provides access to email data (“IMAP/POP/SMTP pcap data”) and data about web browser activity (“cookie usage,” “UserAgent data” and “URLs accessed”).
For those not familiar with the term used by Wyden, “pcap” is all-encompassing when it comes to internet traffic data.
PCAP data is “everything,” Zach Edwards, a cybersecurity researcher who has closely followed the data trade, told Motherboard in an online chat. “It’s everything. There’s nothing else to capture except the smell of electricity.”
Massive amounts of data, only limited by the government’s desire and Team Cmyru’s internal controls, whatever they actually are. That’s a lot of info on internet users’ habits, all of which can be had for a few million dollars a year, unrestrained by constitutional restrictions. As far as the government is concerned, a bunch of data that can be used to identify people and track their internet habits, if not their actual location (thanks to the wealth of location data generated by devices, apps, and on-the-go software) isn’t a Fourth Amendment issue because there are a few degrees of separation (and, possibly, meaningless “anonymization”) separating data generators from the government agencies buying access to this data.
That the Defense Department is unwilling to speak honestly to Wyden about this data haul signals there’s something questionable about its actions. Hopefully, this pressure will persuade the DoD to terminate its contract with Augury/Team Cmyru and find more constitutionally-sound ways to gather data.