Your Privacy Is For Sale: NSA Spying on Americans By Purchasing Information From Data Brokers.

Data brokers are making millions by selling your data to intelligence and law enforcement agencies. Surveillance Capitalism is here.

The NSA is spying by buying your personal information.
Your data is being sold to the highest bidder by data brokers. Startling revelations have revealed that the highest bidders are the NSA and the FBI. The US government is actively buying your information to spy on you and to pursue criminal cases against you, all without a warrant. Surveillance capitalism has become the norm in the United States of America. #spyingbybuying

The Dystopia Is Now

Senator Ron Wyden has released a letter and declassified documents from the NSA Director, General Paul Nakasone (US Army) and the contents are damning. The NSA is openly admitting to collecting data from US citizens by purchasing it from shady data broker companies. This means that your hard earned tax dollars are being spent by intelligence as well as law enforcement agencies, to vacuum up your online data from sources which should not have it in the first place. The data broker industry is composed of shady companies selling your secrets to the highest bidder, a slimy business practice at best, but the fact that the US government is a deep pursed customer is disgusting and unacceptable. Wyden goes as far as to call this practice illegal following recent court cases against major data broker companies.

Every app you open, website you visit, message you send, or call you make is being logged, collected and organized into a neat product, and sold off like a cheap mattress. Your online identity and history has become commodified and is a product for sale to advertising agencies in addition to the watchful gaze of Uncle Sam. Surveillance capitalism has become a reality in United States, not only in private business but in the public sector as well.

This is not normal and this is not ok.

Uncle Sam's watchful eye is following you by gathering your metadata.

Surveillance Capitalism

The term "surveillance capitalism was brought into mainstream discourse by philosopher and social scientist Shoshana Zuboff through a number of articles and op-ed pieces. Her approach points to web2.0 companies like Google and Facebook as pioneering the mass collection of user data and transforming it into a product which can sold. This market surveillance of the population once available for purchase can be sold off to intelligence and law enforcement agencies as a currently legal loophole which doesn't technically qualify as domestic surveillance. Rather, this is simply the purchase of a dataset, which would otherwise be available to anyone who can afford to purchase it.

End users of services like Google Search, Amazon, or Facebook find their behavior meticiously catalogued into easy-to-query databases without their full informed consent. By clicking on that little "I accept the terms and condition" box when creating new accounts or signing up for new social media platforms, users are signing their rights away. This is of course the a best case scenario on the part of the websites. Due to little to no strong privacy protecting legislation in the United States, especially when compared to the EU's GDPR, citizens have zero control of what happens to their data. In the case of data brokers, they are not required to inform individuals who may be profiled by their platforms nor are they required to disclose how they gathered the information contained in these profiles.

In the case of some profiles which may include social media accounts, these can be gathered from stolen or leaked breach data which is not legally acquired information but is generally made public by hackers. Once public the data broker agencies clean up the data and repackage it for sale. This is simply a digital version of selling a brand new package which happened to fall of the truck driving in front of you. This gray area of sales has earned this industry a less than shining reputation, but the demand for data has made it easier to ignore the 50 Shades of Surveillance which they are enabling.

Data Brokers

Companies which collect and sell data about individual persons, companies, or other publicly available information are called Data Brokers, or Information Brokers. These companies have a wide variety of models and focuses. For example People Search websites like PeekYou have a sketchy reputation while credit rating agencies like Experian are commonly accepted and integrated into the financial system. What these companies have in common is that they collect and archive any data that they can get their hands on. Acxiom, another data analytics firm, is currently claiming to be in possession of over 2.5 billion people, nearly a third of the world population.

The business of big data began with the rise of credit rating agencies in the 1950's but it exploded with the rise in availability of internet access. It wasn't long before people search sites began offering publicly available information neatly collected for a small fee. At first this was similar to a phone book entry, but the introduction of social media companies and web2.0 drastically changed the amount and type of data which scrapable. Suddenly, people around the world were filling in profile information for growing social media platforms including their birthdays, relationships, images, even cell phone numbers. All this information was sold by tech companies to data brokers. Ever wonder how these platforms were able to operate their legions of servers without requiring you pay for their service? This was the magic behind the curtain. For what felt like nothing, many of us being teens or young adults at the time, handed over everything in exchange for a like.

It wasn't only companies eager to gather and sell information, intelligence and law enforcement agencies were also eager to get in on this freely available information. Court cases led to discussions regarding the legal status of using this kind of information in order to pursue criminal cases, often allowing this access without requiring a search warrant. These cases were long decided in favor of the government agencies under what came to be known as the Third Party Doctrine.

The NSA's collection of metadata allows them to monitor what you are doing online.

Third Party Doctrine Allows for Warrantless Surveillance

When legal arguments began to reach court rooms across America, a landmark case reached the Supreme Court regarding what law enforcement can and cannot access without a search warrant. In the case Smith v. Maryland, the court ruled that police the use of a pen register (a device which records telephone numbers dialed) to monitor the calls of a suspect as not considered a search and thus did not require law enforcement to first obtain a warrant. Following this 1979 decision, this kind of customer observation did not constitute a violation of the Fourth Amendment, not only that, but they also determined that users of a telephone do not have the reasonable expectation of privacy because this data would be recorded and stored by a telephone company.

This was the birth of the Third Party Doctrine.

Cases such as Smith v. Maryland have been directly cited by the NSA as legal justification for their monitoring and collection of data from US citizens. In 2012 Maryland once decided that cell phone location data was also not protected by the Fourth Amendment, because the use of a cell phone is voluntary and users cannot expect this information to be private. This assumption finally received legal resistance in the case Carpenter v. United States, where it was ruled that, counter to the third party doctrine, the government does require a warrant to obtain cell phone data. The court noted the symbiotic relationship that now exists between persons and their devices noting that they have become an extension of the human body and concluding that "when the Government tracks the location of a cell phone it achieves near perfect surveillance, as if it had attached an ankle monitor to the phone’s user."

Is The Fourth Amendment Dead?

In a response letter to Senator Wyden, Under Secretary of Defense for Intelligence and Security Ronald Moultie asserts:

"I am not aware of any requirement in U.S. law or judicial opinion, including the Supreme Court's decision in Carpenter v. United States... that DoD obtain a court order in order to acquire, access, or use information, such as CAI, that is equally available for purchase to foreign adversaries, U.S. companies, and private persons as it is to the U.S. Government."

Statements made by USDISR Ronald Moultie Statements made by USDISR Ronald Moultie

Herein lies the problem. What the NSA and FBI are doing is objectionable, but legally allowed and they are not required to gain warrants to make purchases from data brokers. Unless the United States Congress buckles down and passes strong legislation that restricts the sale of personal data in this manner nothing will change. If you expect this to happen overnight, it won't unless citizens whose identity has become a trading card for data companies stand up and demand legal action. This is possible! America, you are capable of great things! Make your voices heard and fight back. Don't let your digital soul be sold to the highest bidder. You can bet that if the NSA is buying this data, other intelligence agencies are as well and you may be targeted because of it.

The sale of personal data by the Data Broker Industry must be stopped.

Chief Justice Roberts' closing opinion in Carpenter case might shine a ray of hope for those who wish to maintain their privacy in the face of invasive data brokers and hungry intelligence agencies. In his closing arguments he highlights the differences between the early stages of telecommunication and the ever present role that technology plays today. "Unlike the nosy neighbor who keeps an eye on comings and goings, they [new technologies] are ever alert, and their memory is nearly infallible. There is a world of difference between the limited types of personal information addressed in Smith [...] and the exhaustive chronicle of location information casually collected by wireless carriers today."

We need this reform. We cannot expect near century old approaches to technology to be in any way relevant to the digital leviathan we have unleashed. These policies must be reevaluated under the advise and leadership of experts in the fields of technology and privacy alike. This cause is championed by the Electronic Frontier Foundation and if you are looking to help protect privacy, they deserve your support. In the meantime, if you are looking for secure and private treatment for your data, you should start looking elsewhere.

Your Data Is Not Safe Stateside

With limited protections for your data in the United States, the inter-connected digital world can play to your advantage by allowing you to store your information securely in the EU. The EU has much stronger privacy and data protections thanks to the GDPR laws. Not only that, but there are multiple great privacy respecting companies based in Europe whose focus is protecting your information from the watchful eyes of data brokers and government agencies.

If you are looking for a secure anchor to your digital life, you will need to start with a private email account. We have created a guide comparing secure and private email providers which you can check out here. By employing end-to-end encryption which secures your data from eavesdropping before it leaves your device, you can rest assured that the contents of your communications are safe.

What the NSA Collects

Following Wyden's release of the unclassified NSA documents, we can confirm through their own admission that the NSA is purchasing the following consumer available information about Americans:

  • Information associated with electronic devices used outside and somtimes inside the United States.
  • Buys and uses commercially available netflow data related to domestic internet communications and communication where one party is located abroad. This includes DNS records which may be present in data broker products.
  • Does not buy location data from phones known to be used in US, with or w/o court order.
  • Does not buy location data from vehicles known to be located in US.

VPN Connections Are Not Safe

By collecting netflow data, intelligence and law enforcement agencies are able to piece together internet traffic even if the traffic is being tunneled through a VPN. This means that hiding behind a VPN alone will not give you complete anonymity when browsing the web or connecting to your favorite applications. This does not mean that a VPN is entirely useless, but it's ability to protect you is more limited than VPN providers like to let on. It is nearly impossible to completely avoid data being collected by your ISP, unless you were to start building up your own infrastructure. Even using the Tor browser still reveals to your ISP that you are using Tor, despite the content of your network traffic being encrypted.

The EU Provides Security and Peace Of Mind for Your Data

A great first step is trying to move as much of your digital life to countries which have stronger privacy laws. Of course, it will not be possible to start using an ISP based in Germany if you are living in Iowa, but by choosing service providers that offer end-to-end encryption by default and have a zero-log policy, you can rest assured that there is at least very little data linked to you. At Tuta, we do not track any login IP information which can be linked to individual users, nor do we log account activity. If you are concerned about your privacy, making the jump to companies located in the European Union is a must. Tuta is currently nearing the release of a new encryption standard which can protect your data against the threat of post-quantum computers, which would be capable of breaking the currently used encryption standards quickly. By rolling out post-quantum encryption, your data will be safe from the practice of "harvest first, decrypt later." This will provide a higher degree of protection for your emails, calendars, contact information, and soon any data you wish to store in the cloud.

Where we go from here in the quest for complete online anonymity is still an open question. But we can rest assured that end-to-end encryption isn't going anywhere.

Be safe and happy encrypting.