美国国家安全局被曝秘密购买互联网浏览数据

The U.S. National Security Agency (NSA) has admitted to buying internet browsing records from data brokers to identify the websites and apps Americans use that would otherwise require a court order, U.S. Senator Ron Wyden said last week.

美国国家安全局（NSA）承认从数据经纪人那里购买互联网浏览记录，以识别美国人使用的网站和应用程序，否则需要法庭订单，美国参议员罗恩·怀登上周表示。

"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Wyden said in a letter to the Director of National Intelligence (DNI), Avril Haines, in addition to urging the government to take steps to "ensure that U.S. intelligence agencies only purchase data on Americans that has been obtained in a lawful manner."

“美国政府不应资助和合法化这个不光彩行业，其对美国人隐私的明目张胆的侵犯不仅是不道德的，而且是非法的，”怀登在致国家情报总监阿芙里尔·海恩斯的一封信中说，并敦促政府采取措施“确保美国情报机构只购买通过合法方式获得的美国人的数据。”

Metadata about users' browsing habits can pose a serious privacy risk, as the information could be used to glean personal details about an individual based on the websites they frequent.

关于用户浏览习惯的元数据可能构成严重的隐私风险，因为这些信息可以用来根据他们经常访问的网站推测出个人的个人细节。

This could include websites that offer resources related to mental health, assistance for survivors of sexual assault or domestic abuse, and telehealth providers who focus on birth control or abortion medication.

这可能包括提供与心理健康相关的资源的网站，帮助性侵幸存者或家庭暴力受害者的网站，以及专注于避孕或堕胎药物的远程医疗服务提供商。

In response to Wyden's queries, the NSA said it has developed compliance regimes and that it "takes steps to minimize the collection of U.S. person information" and "continues to acquire only the most useful data relevant to mission requirements."

作为对怀登的询问的回应，NSA表示已制定了合规制度，并且“采取措施尽量减少对美国个人信息的收集”，“继续只获取与任务要求相关的最有用的数据。”

The agency, however, said it does not buy and use location data collected from phones used in the U.S. without a court order. It also said it does not use location information obtained from automobile telematics systems from vehicles located in the country.

然而，该机构表示，未经法庭命令，它不购买和使用从在美国使用的手机中收集到的位置数据。它还表示不使用从该国的汽车遥测系统中获得的位置信息。

Ronald S. Moultrie, under secretary of defense for intelligence and security (USDI&S), said Department of Defense (DoD) components acquire and use commercially available information (CAI) in a manner that "adheres to high standards of privacy and civil liberties protections" in support of lawful intelligence or cybersecurity missions.

国防情报与安全事务副部长罗纳德·穆尔特里表示，国防部（DoD）组件以支持合法的情报或网络安全任务的方式获取和使用商业可用信息（CAI），并遵守高标准的隐私和公民自由保护。

The revelation is yet another indication that intelligence and law enforcement agencies are purchasing potentially sensitive data from companies that would necessitate a court order to acquire directly from communication companies. In early 2021, it was revealed the Defense Intelligence Agency (DIA) was buying and using domestic location data collected from smartphones via commercial data brokers.

这一披露进一步表明情报和执法机构正在从公司购买潜在敏感的数据，而这些数据需要直接从通信公司获得才需要法庭命令。早在2021年初，就有报道称国防情报局正在通过商业数据经纪人购买和使用通过智能手机收集到的国内位置数据。

The disclosure about warrantless purchase of personal data arrives in the aftermath of the Federal Trade Commission (FTC) prohibiting Outlogic (formerly X-Mode Social) and InMarket Media from selling precise location information to its customers without users' informed consent.

关于无需许可购买个人数据的披露是在联邦贸易委员会（FTC）禁止Outlogic（前身为X-Mode Social）和InMarket Media未经用户知情同意向其客户销售精确位置信息之后出现的。

Outlogic, as part of its settlement with the FTC, has also been barred from collecting location data that could be used to track people's visits to sensitive locations such as medical and reproductive health clinics, domestic abuse shelters, and places of religious worship.

作为与FTC达成的和解协议的一部分，Outlogic还被禁止收集可能用于跟踪人们访问敏感地点（如医疗和生殖保健诊所，家庭暴力庇护所和宗教场所）的位置数据。

The purchase of sensitive data from these "shady companies" has existed in a legal gray area, Wyden noted, adding the data brokers that buy and resell this data are not known to consumers, who are often kept in the dark about who their data is being shared with or where it is being used.

购买这些“不光彩公司”的敏感数据存在于法律灰色地带，怀登指出，补充说购买和转售这些数据的数据经纪人对消费者来说是未知的，消费者经常对与谁共享他们的数据以及数据的使用地点一无所知。

Another notable aspect of these shadowy data practices is that third-party apps incorporating software development kits (SDKs) from these data brokers and ad-tech vendors do not notify users of the sale and sharing of location data, whether it be for advertising or national security.

这些阴暗数据实践的另一个值得注意的方面是，包含来自这些数据经纪人和广告技术供应商的软件开发工具包（SDK）的第三方应用程序不会通知用户有关位置数据的销售和共享，无论是用于广告还是国家安全。

"According to the FTC, it is not enough for a consumer to consent to an app or website collecting such data, the consumer must be told and agree to their data being sold to 'government contractors for national security purposes,'" the Oregon Democrat said.

“根据FTC的规定，对于应用程序或网站收集此类数据，仅仅获得用户的同意是不够的，还必须告知用户并同意将他们的数据出售给‘政府承包商用于国家安全目的’，”俄勒冈州民主党人说。

"I am unaware of any company that provides such warnings to consumers before their data is collected. As such, the lawbreaking is likely industry-wide, and not limited to this particular data broker."

“在我所知道的公司中，没有任何一家在收集用户数据之前向消费者提供此类警告。因此，违法行为很可能是整个行业的现象，而不仅仅限于这个特定的数据经纪人。”

原文始发于微信公众号（知机安全）：美国国家安全局被曝秘密购买互联网浏览数据