Revealed: US Military Bought Mass Monitoring Tool That Includes Internet Browsing, Email Data

Multiple branches of the U.S. military have bought access to a powerful internet monitoring tool that claims to cover over 90 percent of the world’s internet traffic, and which in some cases provides access to people’s email data, browsing history, and other information such as their sensitive internet cookies, according to contracting data and other documents reviewed by Motherboard.

Additionally, Sen. Ron Wyden says that a whistleblower has contacted his office concerning the alleged warrantless use and purchase of this data by NCIS, a civilian law enforcement agency that’s part of the Navy, after filing a complaint through the official reporting process with the Department of Defense, according to a copy of the letter shared by Wyden’s office with Motherboard.

The material reveals the sale and use of a previously little known monitoring capability that is powered by data purchases from the private sector. The tool, called Augury, is developed by cybersecurity firm Team Cymru and bundles a massive amount of data together and makes it available to government and corporate customers as a paid service. In the private industry, cybersecurity analysts use it for following hackers’ activity or attributing cyberattacks. In the government world, analysts can do the same, but agencies that deal with criminal investigations have also purchased the capability. The military agencies did not describe their use cases for the tool. However, the sale of the tool still highlights how Team Cymru obtains this controversial data and then sells it as a business, something that has alarmed multiple sources in the cybersecurity industry.

“The network data includes data from over 550 collection points worldwide, to include collection points in Europe, the Middle East, North/South America, Africa and Asia, and is updated with at least 100 billion new records each day,” a description of the Augury platform in a U.S. government procurement record reviewed by Motherboard reads. It adds that Augury provides access to “petabytes” of current and historical data.

Motherboard has found that the U.S. Navy, Army, Cyber Command, and the Defense Counterintelligence and Security Agency have collectively paid at least $3.5 million to access Augury. This allows the military to track internet usage using an incredible amount of sensitive information. Motherboard has extensively covered how U.S. agencies gain access to data that in some cases would require a warrant or other legal mechanism by simply purchasing data that is available commercially from private companies. Most often, the sales center around location data harvested from smartphones. The Augury purchases show that this approach of buying access to data also extends to information more directly related to internet usage.

Team Cymru says on its website that its solution provides “access to a super majority of all activity on the internet.”

Do you work at a company that handles netflow data? Do you work at an ISP distributing that data? Or do you know anything else about the trade or use of netflow data? We’d love to hear from you. Using a non-work phone or computer, you can contact Joseph Cox securely on Signal on +44 20 8133 5190, Wickr on josephcox, or email [email protected].

“Augury is the visibility into 93% of internet traffic,” another website describing the tool reads. Some clients have access to the platform under the different brand name Pure Signal RECON, according to Team Cymru’s website.

The Augury platform makes a wide array of different types of internet data available to its users, according to online procurement records. These types of data include packet capture data (PCAP) related to email, remote desktop, and file sharing protocols. PCAP generally refers to a full capture of data, and encompasses very detailed information about network activity. PCAP data includes the request sent from one server to another, and the response from that server too.

PCAP data is “everything,” Zach Edwards, a cybersecurity researcher who has closely followed the data trade, told Motherboard in an online chat. “It’s everything. There’s nothing else to capture except the smell of electricity.” (Team Cymru told Motherboard it does limit what data is returned to users but did not specify what data actually is provided to a user of the platform).

A source in the cybersecurity industry said “that’s insane” when shown that sensitive information like PCAP data was available in Augury. Some private industry users appear to have less access to certain data types in Augury than those listed in the government procurement records. Motherboard granted multiple sources in this piece anonymity because they weren’t authorized by their employers to speak on this issue.

Augury’s data can also include web browser activity, like URLs visited and cookie usage, according to the procurement records. Cookies are sensitive files that websites plant onto computers when people visit them. Given their uniqueness, cookies can be effective for tracking. Facebook and Google, for example, use cookies to follow a particular user from website to website and track their activity. The NSA has then piggybacked off of these cookies to identify targets for hacking. Screenshots of an apparent Augury panel obtained by Motherboard show results containing cookies, URLs visited, and email data. Motherboard showed a section of one of the screenshots to multiple sources familiar with the tool who said it does appear to be the Augury panel.

Augury also contains so-called netflow data, which creates a picture of traffic flow and volume across a network. That can include which server communicated with another, which is information that may ordinarily only be available to the server owner themselves or to the internet service provider that is carrying the traffic. That netflow data can be used for following traffic through virtual private networks, and show the server they are ultimately connecting from. Multiple sources in the cybersecurity industry told Motherboard that netflow data can be useful for identifying infrastructure that hackers are using.

Team Cymru obtains this netflow data from ISPs; in return, Team Cymru provides the ISPs with threat intelligence. That transfer of data is likely happening without the informed consent of the ISPs’ users. A source familiar with the netflow data previously told Motherboard that “the users almost certainly don’t [know]” their data is being provided to Team Cymru, who then sells access to it.

It is not clear where exactly Team Cymru obtains the PCAP and other more sensitive information, whether that’s from ISPs or another method.

A screenshot of Augury obtained by Motherboard. Image: Motherboard.

Motherboard asked Team Cymru multiple times if Augury contains cookies, URLs visited, and PCAP data, as the procurement records show. Team Cymru did not answer the question directly, and instead wrote in an email that “The Augury platform is not designed to target specific users or user activity. The platform specifically does not possess subscriber information necessary to tie records back to any users.”

About the Author: Patriotman

Patriotman currently ekes out a survivalist lifestyle in a suburban northeastern state as best as he can. He has varied experience in political science, public policy, biological sciences, and higher education. Proudly Catholic and an Eagle Scout, he has no military experience and thus offers a relatable perspective for the average suburban prepper who is preparing for troubled times on the horizon with less than ideal teams and in less than ideal locations. Brushbeater Store Page: http://bit.ly/BrushbeaterStore

4 Comments

Felix September 21, 2022 at 16:02

Roll-ups, takedowns, roundups… they will be soooooooo easy to prioritize and, one-by-one execute on.
The MSM won’t tell any one. How will you know – until it’s too late?
Will patriots be able to see what’s happening and spread the word when (not if) the current coup owners decide to escalate beyond merely harassing and financially ruining their opposition?
Folks who know what and where the “Bumblehive” is are warned.
Those who haven’t heard of it or considered what it means – can do a quick search.
That our branches of the military are setting up their own gathering/storage ought give a clue as to where things are headed.
- mike September 21, 2022 at 20:51
  
  Yeah, I dunno. It’s a big continent. If they were that good they could have finished off the Afghans in one fighting season, right? They can have God-like knowledge of what everyone in America is thinking and it would still be a chore to actually round them all up without breaking a sweat. The high profile types are all surrounded by people who are barely on the radar. They are not going to be able to roll into every little town in America in a day or two and just get the tier 1 people they want without anyone noticing.. I’m sure that is their plan, and they may run with it, but it won’t be the walk over that is anticipated.
Bumblehive September 21, 2022 at 16:43

Cymru, Augury-Pure Signal Recon.
- Felix September 21, 2022 at 19:58
  
  Is that you Brad?
  Heck, ASM might apply to “cells” or “cadres” who were attempting to sustain any digital presence. But I’m thinking more about the every day interface an individual has which is logged and searchable via things like GPS use/signals, normal movement in public (facial recognition), using plastic to order anything online, etc.
  Fact is, if someone has/carries a cell phone, moves in public spaces, uses plastic at the grocery store and eateries, engages in _any_ social media… it would be as easy as picking them up whenever as it would have been snagging David Koresh on one of his regular trips to town. When you know enough about someone by piecing together their bits of data, you can burn them down at leisure.
  1984 is here and then some.
  Or maybe I’m just paranoid.