Unclassified letter reveals NSA bought Americans’ internet browsing data without warrant

Are you worried that the government knows what you're looking at online? This concern may be justified. According to an unclassified NSA letter, the agency purchased U.S. citizens’ internet browsing information from commercial data brokers without a warrant.

In an unclassified letter dated December 11 to Sen. Ron Wyden, D-Ore., obtained by The New York Times, NSA Director Paul Nakasone confirmed that the NSA purchased internet metadata about Americans’ domestic internet activity from data brokers. Even more worryingly, the NSA did this without a warrant.

Nakasone emphasized that the data collected by the NSA does not include the content of private Internet communications. The information also does not include location data from cellphones "known to be in use in the United States," nor does the NSA purchase or use location data from U.S. cars.

The NSA director said the information is used to carry out legitimate Department of Defense missions such as intelligence, personnel security and cybersecurity.

In a letter to Director of National Intelligence Avril Haines, Wyden called the practice a "legal gray area," adding that the NSA has tried to keep its actions secret. The senator said the government needs to "wake up" and create new rules to ensure these organizations can only buy data that Americans agree to sell.

Wyden also wants the NSA to conduct an inventory of Americans' personal data the agency has purchased and purge any data that does not meet the Federal Trade Commission's standards for legal personal data sales: "The U.S. government should not be funding and legitimizing a disgraceful industry that blatantly invades Americans' privacy and is not only unethical, but illegal."

In a separate letter, Deputy Defense Secretary Ronald S. Mutrie defended the NSA's approach, saying it was subject to various safeguards. "I am not aware of any provision in U.S. law or judicial opinion [...] that the Department of Defense must obtain a court order to obtain, access, or use information such as CAI, which is as available to foreign adversaries, U.S. companies, and private individuals as it is to the U.S. government," he wrote in the letter.

The FTC has for years campaigned against data brokers selling people's information without consent. In 2022, the agency sued the company Kochava, accusing it of violating the privacy of millions of people by using their cell phone data to sell their precise locations. Earlier this month, the U.S. Federal Trade Commission also filed a lawsuit against data broker X-ModeSocial for selling location data.

Internet metadata can be as sensitive as location data, Wyden said, because it can identify Americans seeking help from suicide hotlines or hotlines for survivors of sexual assault or domestic abuse. Internet metadata can also highlight Americans seeking help from telemedicine providers who primarily provide abortion pills.