A letter to the US Director of National Intelligence reveals that the NSA buys personal data which was illegally-obtained from smartphone users through the apps they use.
The open letter was sent by US senator and member of the Select Committee on Intelligence, Ron Wyden. He asks US security services to cease this practice, and to purge existing data which was obtained illegally …
NSA buys personal data that was illegally-obtained
When app developers capture personal information about you, they must by law disclose the ways in which that data will be used.
Something none of them disclose – but many of them do – is to sell your personal data, including location history, through data brokers to the Defense Intelligence Agency (DIA) and National Security Agency (NSA).
That’s, uh, probably something you’d want to know.
The Federal Trade Commission (the closest thing the US has to a federal privacy regulator) confirms this is illegal, and took legal action against one of the data brokers involved, X -Mode Social. But yesterday’s letter reveals that the DIA and NSA continue to purchase this data.
Security agencies would need a warrant
If security agencies like the NSA wanted to obtain this data directly from developers and internet service providers, they would need a search warrant.
But by buying the data indirectly, they avoid this requirement. This, says Senator Wyden, needs to stop.
I write to request that you take action to ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner.
As you know , U.S. intelligence agencies are purchasing personal data about Americans that would require a court order if the government demanded it from communications companies. I first revealed in 2021 that the Defense Intelligence Agency (DIA) was purchasing, storing, and using domestic location data. Such location data is collected from Americans smartphones by app developers, sold to data brokers, resold to defense contractors, and then resold again to the government. In addition; the National Security Agency (NSA) is buying Americans domestic internet metadata.
Wyden points out that the FTC has already ruled that this is illegal, as app users were not informed it was happening. The agency specifically said that it’s not enough for developers to disclose that they sell data to data brokers – they must specifically disclose that it will be sold on to US intelligence agencies.
The FTC held that such sensitive data sales are unlawful unless the data was obtained through consumer’s informed consent.
Location data is a particularly sensitive privacy breach
The FTC expressed particular concern about the sale of location data, which is especially sensitive.
The FTC notes in its complaint that the reason informed consent is required for location data is because it can be used to track people to sensitive locations, including medical facilities, places of religious worship, places that may be used to infer an LGBTQ+ identification, domestic abuse shelters, and welfare and homeless shelters.
Wyden says that data purchased from ISPs can be equally sensitive.
Such records can identify Americans who are seeking help from a suicide hotline or a hotline for survivors of sexual assault or domestic abuse, a visit to a telehealth provider focusing on specific health care need.
Intelligence agencies asked to take three steps
Wyden asks the US Director of National Intelligence to ensure each wing of the intelligence community does three things:
- Audit the personal data it holds on US citizens
- Identify data which was illegally collected and sold
- Purge this data
9to5Mac’s Take
The whole business of sketchy developers selling the personal data of their app users is an exceedingly murky one. While the FTC lays down rules they are supposed to follow, there seems to be very little oversight, leaving developers free to continue the practice without consequences.
Privacy policies use deliberately vague language to hide what is really happening. Here’s some typical wording:
We may share your personal information with third-party service providers or business partners
Few would guess that “business partners” means data brokers, or that this wording means “sell your personal data to the highest bidder, who will then sell it to anyone who wants it, including the NSA.”
We’ve argued before that the US needs federal privacy laws with teeth, modelled on Europe’s GDPR.
Photo by Chris Yang on Unsplash
FTC: We use income earning auto affiliate links. More.
Comments