A hot potato: Are you worried that the government knows what you're looking at online? That paranoia might be somewhat justified. According to an unclassified letter by the National Security Agency, the organization purchases internet browsing information on US citizens from commercial data brokers without a warrant.

In an unclassified December 11 letter addressed to Oregon Democratic Senator Ron Wyden obtained by the New York Times, NSA director Paul Nakasone confirms the agency buys internet metadata from data brokers relating to Americans' domestic internet activities. What's even more concerning is that the NSA does this without a warrant.

Nakasone emphasizes that the data the NSA collects does not include the content of private internet communications. The information doesn't include location data from phones "known to be used in the United States" either, and the NSA doesn't buy or use location data from automobiles in the US.

The NSA director said the information is used to conduct lawful DoD missions, such as intelligence, personnel security, and cybersecurity.

In a letter to Director of National Intelligence Avril Haines, Wyden called the practice a "legal gray area," adding that the NSA had been trying to keep its actions secret. The Senator said the government needs a "wake-up call" and that there needs to be new rules that ensure the organizations can only purchase data that Americans have consented to be sold.

Wyden also wants the NSA to conduct an inventory of the personal data purchased by the agency about Americans, and purge anything that does not meet the FTC's standard for legal personal data sales.

"The U.S. government should not be funding and legitimizing a shady industry whose flagrant violations of Americans' privacy are not just unethical, but illegal," Wyden wrote.

Under Secretary of Defense Ronald S. Moultrie defended the NSA's practice in a separate letter, saying it was subject to various safeguards. "I am not aware of any requirement in U.S. law or judicial opinion […] that DoD obtain a court order in order to acquire, access or use information, such as CAI, that is equally available for purchase to foreign adversaries, U.S. companies and private persons as it is to the U.S. government," he wrote.

The FTC has fought for years against data brokers selling people's information without their consent. In 2022, the agency sued Kochava over allegations it violated millions of people's privacy by selling their precise locations using data from their phones. The FTC also brought action against data broker X -Mode Social earlier this month over the sale of location data.

Wyden said that internet metadata can be just as sensitive as location data, as it can identify Americans who are, for example, seeking help from suicide hotlines or those for survivors of sexual assault or domestic abuse. It could also highlight a visit to a telehealth provider that focuses on prescribing abortion pills.