Multiple branches of the US military have bought access to “petabytes” of American citizens’ private online data via a tool called Augury, giving them access to an almost omniscient set of data points, Senator Ron Wyden (D-Oregon) claimed in a letter to the Office of the Inspector General (OIG) on Wednesday.
The alleged data trove includes an individual’s email communications, browsing history, and other behavioral information, all on demand and without a warrant,
The senator asked the OIG to investigate the Department of Homeland Security and the Justice Department’s purchase and use of any such records. He cited a report his office received from a military whistleblower regarding the Naval Criminal Investigative Service (NCIS) buying and using netflow data from data broker Team Cymru.
Netflow data includes proprietary information normally available only to internet service providers, and is likely being provided without the informed consent of those providers – let alone judicial authorization.
Wyden’s own investigation of the whistleblower’s claim appeared to reveal that US Cyber Command, the Army, FBI, and Secret Service had also purchased the company’s data sets. An investigation by Motherboard found they paid a total of $3.5 million to use Team Cymru’s tool Augury, which allegedly can access 93% of internet traffic. It uses a technology called packet capture data (PCAP), which one cybersecurity technology professional referred to as “everything… there’s nothing else to capture except the smell of electricity.”
A spokesman from the Navy Office of Information told Motherboard that “The use of net flow data by NCIS does not require a warrant,” claiming the agency had not used netflow for criminal investigation purposes – only for “various counterintelligence purposes.” The other agencies which reportedly purchased Augury did not respond to the outlet’s request for comment.
For their part, Team Cymru has insisted its tool “is not designed to target specific users or user activity. The platform specifically does not possess subscriber information necessary to tie records back to any users.” However, previous studies have shown that relatively few data points are needed in order to de-anonymize individuals in a database, meaning that even the “limited sampling of the available data” it allows may be enough to unmask an individual – and gain access to the totality of their online existence.