The Federal Bureau of Investigation paid tens of thousands of dollars on internet data, known as “netflow” data, collected in bulk by a private company, according to internal FBI documents obtained by Motherboard.
The documents provide more insight into the often overlooked trade of internet data. Motherboard has previously reported the U.S. Army’s and FBI’s purchase of such data. These new documents show the purchase was for the FBI’s Cyber Division, which investigates hackers in the worlds of cybercrime and national security.
“Commercially provided net flow information/data—2 months of service,” the internal document reads. Motherboard obtained the file through a Freedom of Information Act (FOIA) request with the FBI.
Do you work at a company that handles netflow data? Do you work at an ISP distributing that data? Or do you know anything else about the trade or use of netflow data? We'd love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email firstname.lastname@example.org.
Netflow data creates a picture of traffic volume and flow across a network. This can include which server communicated with another, information that is ordinarily only available to the owner of the server or to the internet service provider (ISP) carrying the traffic. Team Cymru, the company ultimately selling this data to the FBI, obtains it from deals with ISPs by offering them threat intelligence in return. These deals are likely conducted without the informed consent of ISPs’ users.
Team Cymru explicitly markets its product’s capability of being able to track traffic through virtual private networks, and show which server traffic is originating from. Multiple sources previously told Motherboard that netflow data can be used to identify infrastructure used by hackers.
Team Cymru’s products can also include data such as URLs visited, cookies, and PCAP data, but the FBI document does not specify access to any of these data types. In parallel to Motherboard’s earlier coverage of netflow sales of U.S. agencies, a whistleblower approached the officer of Senator Ron Wyden and reported to them the alleged warrantless use of this data by NCIS, a civilian law enforcement agency that’s part of the Navy. The whistleblower approached Wyden’s office after filing a complaint through the official reporting process with the Department of Defense. NCIS previously told Motherboard it uses netflow data “for various counterintelligence purposes.”
“Last fall I asked the DOJ Inspector General to investigate the FBI’s purchase of metadata, after a whistleblower came forward,” Wyden told Motherboard in a statement last week. Responding to the newly uncovered FBI document, Wyden said it “provides further evidence the FBI has purchased internet metadata, which can reveal the websites Americans visit, as well as sensitive information such as what doctor a person sees, their religion or what dating sites they use.”
“The FBI owes the American people an explanation of what data it has purchased about Americans’ internet browsing histories and provide more transparency about its activities. It is not acceptable for the government to go around the courts by using a credit card to buy private information, which is why I have proposed the Fourth Amendment is Not for Sale Act to ban the purchase of this kind of private data,” the statement added.
The FBI declined to comment.
The FBI document relates to a $76,450 purchase of netflow data in 2017. The FBI has also bought products from Argonne Ridge Group, the affiliate Team Cymru uses for contracts with public agencies, in 2009, 2011, and 2013.
Team Cymru did not respond to a request for comment.
After Motherboard reported the U.S. Army and other purchases of Team Cymru data, the Tor Project, the organization behind the Tor anonymity network, said it was moving away from infrastructure that Team Cymru had donated. The Tor Project told Motherboard it expects that migration to be completed this Spring.
The FBI has bought other types of data from the commercial sector. Earlier this month, FBI Director Christopher Wray confirmed in a hearing that the FBI previously purchased American’s smartphone location data. The purchase was part of a national security pilot project which has not been active for some time, Wray said.
“We do not currently purchase commercial database information,” Wray said.
Subscribe to our cybersecurity podcast, CYBER. Subscribe to our new Twitch channel.