A US Senator has called on the Office of Inspector General (OIG) to investigate a report from a military whistleblower regarding the Naval Criminal Investigative Service (NCIS) members buying and using netflow data to access private online data of American citizens.
Citing the report, Democratic Senator Ron Wyden of Oregon asserted in a letter to the OIG earlier this week that multiple branches of the US military have purchased access to “petabytes” of citizens’ private data via a tool called Augury obtained from the Florida-based internet security firm and data broker Team Cymru, RT reported on Saturday.
According to the report, the alleged data trove includes an individual’s email communications, browsing history, and other behavioral information, all on demand and without a legal warrant.
Wyden further asked the OIG to investigate the Department of Homeland Security and the Justice Department’s purchase and use of any such records.
Netflow data, the report noted, includes proprietary information normally available only to internet service providers, but is likely being provided to military service members without the informed consent of those providers – let alone judicial authorization.
The Senator’s own investigation of the whistleblower’s claim appeared to reveal that US Cyber Command, the Army, FBI, and Secret Service had also purchased the company’s data sets, the report added, noting that a probe of the case by Motherboard news outlet further found that they paid a total of $3.5 million to use Team Cymru’s tool Augury, which allegedly can access 93 percent of internet traffic using a technology called packet capture data (PCAP).
The Motherboard report further cited a spokesman from the Navy Office of Information as saying that “The use of net flow data by NCIS does not require a warrant,” claiming the agency had not used netflow for criminal investigation purposes – only for “various counterintelligence purposes.”
The other agencies which reportedly purchased Augury did not respond to the outlet’s request for comment.
Team Cymru, meanwhile, has insisted that its tool “is not designed to target specific users or user activity,” noting that “the platform specifically does not possess subscriber information necessary to tie records back to any users.”
However, previous studies have shown that relatively few data points are needed in order to de-anonymize individuals in a database, meaning that even the “limited sampling of the available data” it allows may be enough to unmask an individual – and gain access to the totality of their online existence.