Follow Slashdot blog updates by subscribing to our blog RSS feed

 



Forgot your password?
typodupeerror
×
The Military United States Software The Internet

Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data (vice.com) 37

An anonymous reader shares an excerpt from a report via Motherboard, written by Joseph Cox: Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world's internet traffic, and which in some cases provides access to people's email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard. Additionally, Sen. Ron Wyden says that a whistleblower has contacted his office concerning the alleged warrantless use and purchase of this data by NCIS, a civilian law enforcement agency that's part of the Navy, after filing a complaint through the official reporting process with the Department of Defense, according to a copy of the letter shared by Wyden's office with Motherboard.

The material reveals the sale and use of a previously little known monitoring capability that is powered by data purchases from the private sector. The tool, called Augury, is developed by cybersecurity firm Team Cymru and bundles a massive amount of data together and makes it available to government and corporate customers as a paid service. In the private industry, cybersecurity analysts use it for following hackers' activity or attributing cyberattacks. In the government world, analysts can do the same, but agencies that deal with criminal investigations have also purchased the capability. The military agencies did not describe their use cases for the tool. However, the sale of the tool still highlights how Team Cymru obtains this controversial data and then sells it as a business, something that has alarmed multiple sources in the cybersecurity industry.

"The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day," a description of the Augury platform in a U.S. government procurement record reviewed by Motherboard reads. It adds that Augury provides access to "petabytes" of current and historical data. Motherboard has found that the U.S. Navy, Army, Cyber Command, and the Defense Counterintelligence and Security Agency have collectively paid at least $3.5 million to access Augury. This allows the military to track internet usage using an incredible amount of sensitive information. Motherboard has extensively covered how U.S. agencies gain access to data that in some cases would require a warrant or other legal mechanism by simply purchasing data that is available commercially from private companies. Most often, the sales center around location data harvested from smartphones. The Augury purchases show that this approach of buying access to data also extends to information more directly related to internet usage.
"The Augury platform is not designed to target specific users or user activity. The platform specifically does not possess subscriber information necessary to tie records back to any users," said Team Cymru in a statement to Motherboard. "Our platform does not provide user or subscriber information, and it doesn't provide results that show any pattern of life, preventing its ability to be used to target individuals. Our platform only captures a limited sampling of the available data, and is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same. Results are then further limited in the scope and volume of what's returned," Team Cymru said in another email.

Charles E. Spirtos from the Navy Office of Information told Motherboard in an email that NCIS specifically "conducts investigations and operations in accordance with all applicable laws and regulations. The use of net flow data by NCIS does not require a warrant." He added that NCIS has not used netflow during any criminal investigation, but that "NCIS uses net flow data for various counterintelligence purposes."

Meanwhile, the Department of Defense Office of the Inspector General, which the whistleblower alleges referred their complaint to the Navy, told Motherboard it had received Wyden's letter and was reviewing it. The Office of the Naval Inspector General declined to comment and directed Motherboard back to its Department of Defense counterpart. The Defense Counterintelligence and Security Agency also deferred to the Department of Defense.
This discussion has been archived. No new comments can be posted.

Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data

Comments Filter:
  • by rsilvergun ( 571051 ) on Wednesday September 21, 2022 @11:04PM (#62903667)
    This is why we have civilian oversight and why we don't keep people in the military indefinitely and give them cushy jobs and education after they get out.

    As long as you don't put fascists in charge of the civilian side of things and you make sure to keep taking care of EX soldiers this isn't a problem.

    It's much more concerning to have things like the FBI or ever loving local police getting a hold of this data by purchasing it in order to circumvent getting a warrant. We don't have good controls over our militarized police force like we do over our military.

    If we had a proper education system then instead of the propaganda kids get in their government and economics courses they'd be taught how civilian oversight works. Of course if they do how it worked for the military they wanted applied to police and we can't have that now can we?
    • by CaptQuark ( 2706165 ) on Thursday September 22, 2022 @01:18AM (#62903871)

      This problem isn't as obvious as "Oh hell, no. The military shouldn't be reviewing this data."

      The data is already being collected by Team Cymru and sold to many different customers. It makes sense that intelligence groups would want to know what information is being offered for sale so they can assess the vulnerabilities to the people and systems they protect.

      Team Cymru said "Our platform only captures a limited sampling of the available data, and is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same. Results are then further limited in the scope and volume of what's returned." so it's not like customers buying the data get every piece of information directly linked to every person on the internet, rather it is enough information to spot trends and perhaps identify data that should not be traveling the internet unencrypted.

      Should these intelligence agencies turn a blind eye to all the data the bad guys have access to? Probably not. Should we be concerned that by purchasing the data they are funding the gathering of even more data? That's a bit murkier. Should we forbid them from reviewing the data the bad guys can also purchase? Absolutely not.

      Hell, even Experian will scour the Dark Web for my information. [experian.com] Does that make Experian liable for the information on the Dark Web? Obviously not. If I'm informed that my personal information is available for purchase, I can change my passwords, strengthen my logon methods, and quit using services that repeatedly expose my data.

      TL;DR. The data is being gathered by Team Cymru regardless. The military and Three Letter Agencies are just reviewing what's in it. And yes, that simplistic summation glosses over the obvious potential for misuse if we don't trust the watchers.

      • Re: (Score:2, Troll)

        The data is already being collected by Team Cymru

        Yeah, but Team Cymru is based in the US so it's all good. Now get back to complaining about Chinese bogeymen!

        I never fail to be amused by the double standard here. Every ten-cent nail bought from China has secret 5G chips planted by CCP spies embedded inside it, but when US companies engage in actual real mass surveillance it blows over in a matter of days. So the lesson here is, whatever you do, don't be Chinese.

    • by skrugen ( 229044 )

      >This is why we have civilian oversight and why we don't keep people in the military indefinitely and give them cushy jobs and education after they get out.

      Of the 45 men elected president of the United States, 31 have had prior military service, while only 14 have had no prior military service.

      • Of the 45 men elected president of the United States, 31 have had prior military service, while only 14 have had no prior military service.

        There isn't much correlation between military service and being a "good" president, except that presidents who served in combat are less likely to get involved in wars.

    • Isn't there some law in the USA that prohibits the military from spying on its own citizens?
  • US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data

    I'm not sure they need all that, I'm pretty sure all that's pretty massive and I predict it will just get bigger. While it's possibly that at some time in the far, far, far future, the mass of all that may cause everything to collapse into a Black Hole, I'm not sure it needs active monitoring over the shorter time frame. Or am I missing something?

    • Or am I missing something?

      Yup. First rule of Government spending. You better spend every penny, or you won't get moar next year.

      Don't forget about the justification of black holes to toss the Government auditors in. Only the IRS needs auditors and lots of 'em.

      • by Anonymous Coward

        I've long though that budgetting like that is detrimental. But you need some controls, so how about better ones?

        I wonder what'd happen if you'd reward departments for giving back unused budget with a portion of that for discretionary spending. That then will be added to the budget for whatever it's actually spent on, so it's visible how much the budgets actually need to be.

        • I've long though that budgetting like that is detrimental. But you need some controls, so how about better ones?

          A sitting President felt the need to actually warn the American people about the growing rise and threat of the "Military Industrial Complex." A sitting President. Tends to say everything you need to know about controls. When even a President feels that concerned and basically can do nothing but warn, Average Citizen doesn't stand a chance.

          Sadly, that warning was issued over sixty years ago. Didn't do a damn thing.

          I wonder what'd happen if you'd reward departments for giving back unused budget with a portion of that for discretionary spending. That then will be added to the budget for whatever it's actually spent on, so it's visible how much the budgets actually need to be.

          Great idea. Perhaps start with COVID spending. For some reason billions sit unused and c

      • Yup. First rule of Government spending. You better spend every penny, or you won't get more next year.

        My father told me that when he was in the Army (way, way back) if you took two boxes of mortar shells on an exercise, you used two boxes, 'cause if you brought one back, the next time you asked for two you got one.

  • The platform specifically does not possess subscriber information necessary to tie records back to any users

    Every bit of info from users is a clue. Even if by itself it doesn't identify individuals, combined with other info it can potentially be used to paint a fuller picture and/or provide useful leads.

    I learned this in the 90's when stubborn trolls put 2 + 2 together on me from diverse sources and doxed me as "punishment for being wrong & arrogant". And that's just amateurs.

    (Maybe I was wrong and arro

  • Its the US government!, the CIA, The FBI and NSA and even the US military! Probably several other of these clandestine acronyms also. "Land of the free" free to be spied on!
  • includes data from over 550 collection points worldwide

    There's the real problem. What are these data collection points? Where are they? Places like the EU with actual privacy laws should hunt these down and eliminate them.

    • by sound+vision ( 884283 ) on Thursday September 22, 2022 @05:28AM (#62904077) Journal

      According to the summary:

      "Our platform... is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same."

      In other words, they're claiming someone else is setting up the malware and honeypots, and they're just innocently vacuuming up the data from the real bad guys.

      I'm not sure whether I believe it, or what difference it makes, but there it is.

      • And you can believe as much of that as you want. Malware authors are not known for voluntarily sharing their data, nor the its high quality. The type and quantity of data these people offer implies access to curated tracking databases and possibly even backbone taps.
  • Pretty near every app on your cellphone sends a continuous load of tracking data to multiple companies that show what you do and what you are looking at on their app. Even just from the metadata it can be clear who you are. Not illegal to collect and it is all for sale on the open market. The military buys it, and anyone with sufficient money and interest buys it.

  • Oh boy, now they know everything about me!

  • by Rosco P. Coltrane ( 209368 ) on Thursday September 22, 2022 @12:44AM (#62903843)

    They really wanted to recruit that Private Browsing they kept hearing so many good things about.

  • ... most internet traffic is porn, right?

    • ... most internet traffic is porn, right?

      That was quite a while ago. After that, it must have been spam that used so much energy you could power the world with it. Nowadays, it is loggers logging loggers logging loggers logging someone watching porn.

  • by John Smith 2294 ( 5807072 ) on Thursday September 22, 2022 @05:28AM (#62904075)
    Team Cymru can put whatever they want in that database, and the US military will just gobble it up, assuming it is real. They can't resist the bait. This is the beginning of the end of US global military dominance. Too stupid to survive.
    • They can get enough on most to be useful, given what's being collected. For this to be in their hands, ISPs; Phone carriers; service providers *cough* Gmail/all Alphabet *cough*, Apple and especially VPN companies have to be part of the intercept. Every Ecommerce site can ID you via your payment method, then place cross site cookies - possibly at the ISP or phone carrier level (no reason for the tracking marker to reach your device, just the immediate upstream one).

      But you're right, throw rocks into the v
  • "this tool can't do the evil thing" is spook speak for "We can totally do the evil thing your concerned about, and 10 you haven't thought of. We're smart enough to break up the teams working on each stage of the pipeline so if there is a leak, no single stage of the pipe can do the evil thing."

    AKA If you're relieved by the 'we're just collection uncollated info' misdirection you're wearing blinders.

Business is a good game -- lots of competition and minimum of rules. You keep score with money. -- Nolan Bushnell, founder of Atari

Working...