Senator Wyden Urges FTC Probe of Neustar Over Possible Selling of User Data to Government (msn.com) 25
Until 2020 Neustar was the domain name registry "for a number of top-level domains," according to its page on Wikipedia, "including .biz, .us (on behalf of United States Department of Commerce), .co, .nyc (on behalf of the city of New York), and .in.
But now U.S. Senator Ron Wyden has asked America's Federal Trade Commission to investigate whether Neustar violated the privacy rights of millions, reports the Washington Post, "when it sold records of where they went online to the federal government."
America's Department of Defense funded a research team at Georgia Tech who purchased Neustar's data starting in 2016, notes a letter from Senator Wyden. Wyden has obtained emails between those researchers and "both the FBI and the Department of Justice, indicating that government officials asked the researchers to run specific queries and that the researchers wrote affidavits and reports for the government describing their findings."
But in addition, Wyden now cites a Department of Justice statement (entered an unrelated court case) which he says makes a concerning assertion: that Neustar executive Rodney Joffe, "who led the company's efforts to sell data to Georgia Tech, was also involved in the sale of DNS data directly to the U.S. government. The court documents say: Rodney Joffe and certain companies with which he was affiliated, including officers and employees of those companies, have provided assistance to and received payment from multiple agencies of the United States government. This has included assistance to the United States intelligence community and law enforcement agencies on cyber security matters. Certain of those companies have maintained contracts with the United States government resulting in payment by the United States of tens of millions of dollars for the provision of, among other things, Domain Name System ('DNS') data. These contracts included classified contracts that required company personnel to maintain security clearances.
From The Washington Post: The stipulation naming entrepreneur Rodney Joffe was the clearest confirmation to date of web histories being sold directly to federal law enforcement and intelligence agencies, instead of through information brokers exempt from restrictions on what telephone companies and websites can share with the government.
Wyden adds: The data that Neustar sold to Georgia Tech may have also included data collected from consumers who were explicitly promised that their data would not be sold to third parties. Between 2018 and 2020, Neustar acquired a competing recursive DNS service, which had previously been operated by Verisign. That service had been advertised to the public by Verisign with unqualified promises that "your public DNS data will not be sold to third parties."
When the product changed hands, users of Verisign's service were seamlessly transitioned to DNS servers that Neustar controlled. This meant that Neustar now received information about the websites accessed by these former Verisign-users, even though neither Verisign nor Neustar provided those users with meaningful, effective notice that the change of ownership had taken place, or that Neustar did not intend to honor the privacy promises that Verisign had previously made to those users. It is unclear if the data Neustar sold to Georgia Tech included data from users who had been promised by Verisign that their data would not be sold.
This is because both Neustar and Verisign have refused to answer questions from my office necessary to determine this important detail.
But now U.S. Senator Ron Wyden has asked America's Federal Trade Commission to investigate whether Neustar violated the privacy rights of millions, reports the Washington Post, "when it sold records of where they went online to the federal government."
America's Department of Defense funded a research team at Georgia Tech who purchased Neustar's data starting in 2016, notes a letter from Senator Wyden. Wyden has obtained emails between those researchers and "both the FBI and the Department of Justice, indicating that government officials asked the researchers to run specific queries and that the researchers wrote affidavits and reports for the government describing their findings."
But in addition, Wyden now cites a Department of Justice statement (entered an unrelated court case) which he says makes a concerning assertion: that Neustar executive Rodney Joffe, "who led the company's efforts to sell data to Georgia Tech, was also involved in the sale of DNS data directly to the U.S. government. The court documents say: Rodney Joffe and certain companies with which he was affiliated, including officers and employees of those companies, have provided assistance to and received payment from multiple agencies of the United States government. This has included assistance to the United States intelligence community and law enforcement agencies on cyber security matters. Certain of those companies have maintained contracts with the United States government resulting in payment by the United States of tens of millions of dollars for the provision of, among other things, Domain Name System ('DNS') data. These contracts included classified contracts that required company personnel to maintain security clearances.
From The Washington Post: The stipulation naming entrepreneur Rodney Joffe was the clearest confirmation to date of web histories being sold directly to federal law enforcement and intelligence agencies, instead of through information brokers exempt from restrictions on what telephone companies and websites can share with the government.
Wyden adds: The data that Neustar sold to Georgia Tech may have also included data collected from consumers who were explicitly promised that their data would not be sold to third parties. Between 2018 and 2020, Neustar acquired a competing recursive DNS service, which had previously been operated by Verisign. That service had been advertised to the public by Verisign with unqualified promises that "your public DNS data will not be sold to third parties."
When the product changed hands, users of Verisign's service were seamlessly transitioned to DNS servers that Neustar controlled. This meant that Neustar now received information about the websites accessed by these former Verisign-users, even though neither Verisign nor Neustar provided those users with meaningful, effective notice that the change of ownership had taken place, or that Neustar did not intend to honor the privacy promises that Verisign had previously made to those users. It is unclear if the data Neustar sold to Georgia Tech included data from users who had been promised by Verisign that their data would not be sold.
This is because both Neustar and Verisign have refused to answer questions from my office necessary to determine this important detail.
tldr (Score:1)
What's up with these verbose articles sometimes?
Re: (Score:1)
This data led to the Mueller investigation. The most ridiculous political witchhunt in history.
here's your sign [justsecurity.org]
Re: (Score:1)
Re: (Score:2)
Good call, that is not correct. Mental blunder on my part.
I was thinking the entire url was leaked to the DNS server during connection setup which would leak all websites and even web pages viewed. I thought this was what ESNI or encrypted client hello was for.
Would lacking any of these security measure leak full url to the DNS provider?
-secure dns
-DNSSEC
-TLS 1.3
-ESNI or its replacement ECH
Or does only the receiving server know the full url?
US gov been US gov... (Score:2)
Re: (Score:2)
If I could get bugs to stop voting for tough on crime bullshit we could put a stop to all this. Statistically speaking you've had more stolen from you by ex employers then you have ever had by petty crime. But we put something like 10 times the resources into petty crime that we do white collar crime.
Good old broken windows policing. I suppose it does keep
Re: US gov been US gov... (Score:2)
Re: (Score:2)
China is literally a dictatorship with a president for life. It's freaky and disturbing how dependent we are on them. Then again we came a hair's breath away from becoming a dictatorship ourselves about 2 years ago so I suppose I'm going to talk
Re: (Score:1)
obligatory (Score:3)
Re: (Score:2, Troll)
Which of Trump's scams do you want to investigate? The NFTs? [sltrib.com] Oh, you said sham. My apologies.
Re: (Score:2)
I actually would buy a Trump trading card NFT if it was $25. $99 is too much.
How would you say its a scam? I assume the money is going to Trump's pocket and whoever helped make it happen. Basically a political donation. How is that a scam?
Re: (Score:2)
Everyone running interference until their 6 year since criminal activity is up, then statute of limitations is up, right?
Anything that might have happened in the 2016 election is becoming legally 'old news' right around now. Quite a few people who did questionable things are probably partying pretty hard this winter after the statute of imitations passes
"we'll stop him" - Peter Strzok
What about GoDaddy? (Score:3)
What about GoDaddy? Neustar sold their DNS business to them a couple years ago.
Re: (Score:3)
Neustar sold the registry business to GoDaddy in early 2020, although it remains a separately-run entity called GoDaddy Registry.
I think the DNS business (UltraDNS and UltraDNS Public - the latter being the subject of the article) stayed with Neustar.
Re: (Score:2)
UltraDNS and UltraDNS Public
Oh? I didn't know they kept those. So many folks I know from UltraDNS don't work for Neustar anymore.
Re: (Score:3)
DNS is a protocol used for two different types of queries: authoritative (made from recursive DNS servers to registry-operated servers that list domains, and to the servers to which domains are delegated) and recursive (made from clients to recursive DNS servers). For the most part, they're operated separately.
The article starts off discussing the authoritative servers, which generally don't have any end-user data to sell, and are unrelated to the data-sharing complaint (as far as I can tell). Neustar _also
Re: (Score:2)
The situation is that local DNS operators like your ISP use that to sell your web history to whoever. If I'm not mistaken, that's why DNS over HTTPS and ESNI / ECH were developed. Before 2018, I don't think anyone realized it was being scraped for information on people.
Patriot act (Score:2)
Re: (Score:2)
IIRC they had to start buying data at some point because when they were just requesting and receiving it, the companies were considered an extension of govt and it was a 4th amendment violation. But if they're buying it, that's ok (apparently).
I think this all falls under section 703. But its all a little unclear. Secret courts with secret hearings and only govt persecutors giving evidence (nobody acting as defense). Easy to lie to a FISA court when nobody is there to rebut.