Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data (vice.com) 37
An anonymous reader shares an excerpt from a report via Motherboard, written by Joseph Cox: Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world's internet traffic, and which in some cases provides access to people's email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard. Additionally, Sen. Ron Wyden says that a whistleblower has contacted his office concerning the alleged warrantless use and purchase of this data by NCIS, a civilian law enforcement agency that's part of the Navy, after filing a complaint through the official reporting process with the Department of Defense, according to a copy of the letter shared by Wyden's office with Motherboard.
The material reveals the sale and use of a previously little known monitoring capability that is powered by data purchases from the private sector. The tool, called Augury, is developed by cybersecurity firm Team Cymru and bundles a massive amount of data together and makes it available to government and corporate customers as a paid service. In the private industry, cybersecurity analysts use it for following hackers' activity or attributing cyberattacks. In the government world, analysts can do the same, but agencies that deal with criminal investigations have also purchased the capability. The military agencies did not describe their use cases for the tool. However, the sale of the tool still highlights how Team Cymru obtains this controversial data and then sells it as a business, something that has alarmed multiple sources in the cybersecurity industry.
"The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day," a description of the Augury platform in a U.S. government procurement record reviewed by Motherboard reads. It adds that Augury provides access to "petabytes" of current and historical data. Motherboard has found that the U.S. Navy, Army, Cyber Command, and the Defense Counterintelligence and Security Agency have collectively paid at least $3.5 million to access Augury. This allows the military to track internet usage using an incredible amount of sensitive information. Motherboard has extensively covered how U.S. agencies gain access to data that in some cases would require a warrant or other legal mechanism by simply purchasing data that is available commercially from private companies. Most often, the sales center around location data harvested from smartphones. The Augury purchases show that this approach of buying access to data also extends to information more directly related to internet usage. "The Augury platform is not designed to target specific users or user activity. The platform specifically does not possess subscriber information necessary to tie records back to any users," said Team Cymru in a statement to Motherboard. "Our platform does not provide user or subscriber information, and it doesn't provide results that show any pattern of life, preventing its ability to be used to target individuals. Our platform only captures a limited sampling of the available data, and is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same. Results are then further limited in the scope and volume of what's returned," Team Cymru said in another email.
Charles E. Spirtos from the Navy Office of Information told Motherboard in an email that NCIS specifically "conducts investigations and operations in accordance with all applicable laws and regulations. The use of net flow data by NCIS does not require a warrant." He added that NCIS has not used netflow during any criminal investigation, but that "NCIS uses net flow data for various counterintelligence purposes."
Meanwhile, the Department of Defense Office of the Inspector General, which the whistleblower alleges referred their complaint to the Navy, told Motherboard it had received Wyden's letter and was reviewing it. The Office of the Naval Inspector General declined to comment and directed Motherboard back to its Department of Defense counterpart. The Defense Counterintelligence and Security Agency also deferred to the Department of Defense.
The material reveals the sale and use of a previously little known monitoring capability that is powered by data purchases from the private sector. The tool, called Augury, is developed by cybersecurity firm Team Cymru and bundles a massive amount of data together and makes it available to government and corporate customers as a paid service. In the private industry, cybersecurity analysts use it for following hackers' activity or attributing cyberattacks. In the government world, analysts can do the same, but agencies that deal with criminal investigations have also purchased the capability. The military agencies did not describe their use cases for the tool. However, the sale of the tool still highlights how Team Cymru obtains this controversial data and then sells it as a business, something that has alarmed multiple sources in the cybersecurity industry.
"The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day," a description of the Augury platform in a U.S. government procurement record reviewed by Motherboard reads. It adds that Augury provides access to "petabytes" of current and historical data. Motherboard has found that the U.S. Navy, Army, Cyber Command, and the Defense Counterintelligence and Security Agency have collectively paid at least $3.5 million to access Augury. This allows the military to track internet usage using an incredible amount of sensitive information. Motherboard has extensively covered how U.S. agencies gain access to data that in some cases would require a warrant or other legal mechanism by simply purchasing data that is available commercially from private companies. Most often, the sales center around location data harvested from smartphones. The Augury purchases show that this approach of buying access to data also extends to information more directly related to internet usage. "The Augury platform is not designed to target specific users or user activity. The platform specifically does not possess subscriber information necessary to tie records back to any users," said Team Cymru in a statement to Motherboard. "Our platform does not provide user or subscriber information, and it doesn't provide results that show any pattern of life, preventing its ability to be used to target individuals. Our platform only captures a limited sampling of the available data, and is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same. Results are then further limited in the scope and volume of what's returned," Team Cymru said in another email.
Charles E. Spirtos from the Navy Office of Information told Motherboard in an email that NCIS specifically "conducts investigations and operations in accordance with all applicable laws and regulations. The use of net flow data by NCIS does not require a warrant." He added that NCIS has not used netflow during any criminal investigation, but that "NCIS uses net flow data for various counterintelligence purposes."
Meanwhile, the Department of Defense Office of the Inspector General, which the whistleblower alleges referred their complaint to the Navy, told Motherboard it had received Wyden's letter and was reviewing it. The Office of the Naval Inspector General declined to comment and directed Motherboard back to its Department of Defense counterpart. The Defense Counterintelligence and Security Agency also deferred to the Department of Defense.
Um... Yeah of course they did (Score:4, Insightful)
As long as you don't put fascists in charge of the civilian side of things and you make sure to keep taking care of EX soldiers this isn't a problem.
It's much more concerning to have things like the FBI or ever loving local police getting a hold of this data by purchasing it in order to circumvent getting a warrant. We don't have good controls over our militarized police force like we do over our military.
If we had a proper education system then instead of the propaganda kids get in their government and economics courses they'd be taught how civilian oversight works. Of course if they do how it worked for the military they wanted applied to police and we can't have that now can we?
Re: Um... Yeah of course they did (Score:5, Insightful)
This problem isn't as obvious as "Oh hell, no. The military shouldn't be reviewing this data."
The data is already being collected by Team Cymru and sold to many different customers. It makes sense that intelligence groups would want to know what information is being offered for sale so they can assess the vulnerabilities to the people and systems they protect.
Team Cymru said "Our platform only captures a limited sampling of the available data, and is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same. Results are then further limited in the scope and volume of what's returned." so it's not like customers buying the data get every piece of information directly linked to every person on the internet, rather it is enough information to spot trends and perhaps identify data that should not be traveling the internet unencrypted.
Should these intelligence agencies turn a blind eye to all the data the bad guys have access to? Probably not. Should we be concerned that by purchasing the data they are funding the gathering of even more data? That's a bit murkier. Should we forbid them from reviewing the data the bad guys can also purchase? Absolutely not.
Hell, even Experian will scour the Dark Web for my information. [experian.com] Does that make Experian liable for the information on the Dark Web? Obviously not. If I'm informed that my personal information is available for purchase, I can change my passwords, strengthen my logon methods, and quit using services that repeatedly expose my data.
TL;DR. The data is being gathered by Team Cymru regardless. The military and Three Letter Agencies are just reviewing what's in it. And yes, that simplistic summation glosses over the obvious potential for misuse if we don't trust the watchers.
Re: (Score:2, Troll)
The data is already being collected by Team Cymru
Yeah, but Team Cymru is based in the US so it's all good. Now get back to complaining about Chinese bogeymen!
I never fail to be amused by the double standard here. Every ten-cent nail bought from China has secret 5G chips planted by CCP spies embedded inside it, but when US companies engage in actual real mass surveillance it blows over in a matter of days. So the lesson here is, whatever you do, don't be Chinese.
Re: (Score:1)
>This is why we have civilian oversight and why we don't keep people in the military indefinitely and give them cushy jobs and education after they get out.
Of the 45 men elected president of the United States, 31 have had prior military service, while only 14 have had no prior military service.
Re: (Score:2)
Of the 45 men elected president of the United States, 31 have had prior military service, while only 14 have had no prior military service.
There isn't much correlation between military service and being a "good" president, except that presidents who served in combat are less likely to get involved in wars.
Re: (Score:2)
Mass monitoring unnecessary (Score:2)
US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data
I'm not sure they need all that, I'm pretty sure all that's pretty massive and I predict it will just get bigger. While it's possibly that at some time in the far, far, far future, the mass of all that may cause everything to collapse into a Black Hole, I'm not sure it needs active monitoring over the shorter time frame. Or am I missing something?
Re: (Score:1)
Or am I missing something?
Yup. First rule of Government spending. You better spend every penny, or you won't get moar next year.
Don't forget about the justification of black holes to toss the Government auditors in. Only the IRS needs auditors and lots of 'em.
Re: (Score:1)
I've long though that budgetting like that is detrimental. But you need some controls, so how about better ones?
I wonder what'd happen if you'd reward departments for giving back unused budget with a portion of that for discretionary spending. That then will be added to the budget for whatever it's actually spent on, so it's visible how much the budgets actually need to be.
Re: (Score:2)
I've long though that budgetting like that is detrimental. But you need some controls, so how about better ones?
A sitting President felt the need to actually warn the American people about the growing rise and threat of the "Military Industrial Complex." A sitting President. Tends to say everything you need to know about controls. When even a President feels that concerned and basically can do nothing but warn, Average Citizen doesn't stand a chance.
Sadly, that warning was issued over sixty years ago. Didn't do a damn thing.
I wonder what'd happen if you'd reward departments for giving back unused budget with a portion of that for discretionary spending. That then will be added to the budget for whatever it's actually spent on, so it's visible how much the budgets actually need to be.
Great idea. Perhaps start with COVID spending. For some reason billions sit unused and c
Re: (Score:2)
Yup. First rule of Government spending. You better spend every penny, or you won't get more next year.
My father told me that when he was in the Army (way, way back) if you took two boxes of mortar shells on an exercise, you used two boxes, 'cause if you brought one back, the next time you asked for two you got one.
Can they put that writing? (Score:1)
Every bit of info from users is a clue. Even if by itself it doesn't identify individuals, combined with other info it can potentially be used to paint a fuller picture and/or provide useful leads.
I learned this in the 90's when stubborn trolls put 2 + 2 together on me from diverse sources and doxed me as "punishment for being wrong & arrogant". And that's just amateurs.
(Maybe I was wrong and arro
Correction [Re:Can they put that [in] writing?] (Score:1)
"Can they put that in writing?"
dammit.
Note even one's typo patterns are a clue.
Big brother is real (Score:2)
Data collection points (Score:2, Insightful)
includes data from over 550 collection points worldwide
There's the real problem. What are these data collection points? Where are they? Places like the EU with actual privacy laws should hunt these down and eliminate them.
Re:Data collection points (Score:5, Informative)
According to the summary:
"Our platform... is further restricted by only allowing queries against restricted sampled and limited data, which all originates from malware, malicious activity, honeypots, scans, and third parties who provide feeds of the same."
In other words, they're claiming someone else is setting up the malware and honeypots, and they're just innocently vacuuming up the data from the real bad guys.
I'm not sure whether I believe it, or what difference it makes, but there it is.
Re: Data collection points (Score:2)
Ubiquitous (Score:2)
Pretty near every app on your cellphone sends a continuous load of tracking data to multiple companies that show what you do and what you are looking at on their app. Even just from the metadata it can be clear who you are. Not illegal to collect and it is all for sale on the open market. The military buys it, and anyone with sufficient money and interest buys it.
Did they create a Facebook account? (Score:2)
Oh boy, now they know everything about me!
Re: (Score:3)
Hey, you know all that legal hubbub around the revelations of Edward Snowden we saw a few years back?
The most important lesson from Snowdengate is that most Americans don't care if their government spies on them.
Re: (Score:2)
Hey, you know all that legal hubbub around the revelations of Edward Snowden we saw a few years back?
The most important lesson from Snowdengate is that most Americans don't care if their government spies on them.
The most important lesson from social media addiction is that most Americans are rabid narcissists, and don't care if anyone spies on them. Privacy died when GenMilliZ realized they could be paid well for being a Professional Attention Whore.
Probably the most annoying thing about the taxpayer cost of customized surveillance systems like this. Government hardly needs it when social media screams volumes for free.
Well obviously (Score:5, Funny)
They really wanted to recruit that Private Browsing they kept hearing so many good things about.
Wonder why because ... (Score:2)
... most internet traffic is porn, right?
Re: (Score:2)
... most internet traffic is porn, right?
That was quite a while ago. After that, it must have been spam that used so much energy you could power the world with it. Nowadays, it is loggers logging loggers logging loggers logging someone watching porn.
Wow, is that ever dumb. (Score:3)
Re: (Score:2)
But you're right, throw rocks into the v
The big brother collation tool cost extra (Score:2)
AKA If you're relieved by the 'we're just collection uncollated info' misdirection you're wearing blinders.