Sen. Ron Wyden (D-OR) has called on the Federal Trade Commission (FTC) to investigate whether domain name registry Neustar violated the privacy of millions of Americans “when it sold records of where they went online to the federal government.”
Wyden’s letter to the FTC states that in 2016, the Department of Defense funded a research team at Georgia Tech to purchase Neustar’s data. The senator obtained communications between the researchers and “both the FBI and the Department of Justice, indicating that government officials asked the researchers to run specific queries and that the researchers wrote affidavits and reports for the government describing their findings.”
We obtained a copy of the letter for you here.
Additionally, Wyden cited a statement by the Department of Justice, in an unrelated court case, which he says alleges that Neustar executive Rodney Jeff, “who led the company’s efforts to sell data to Georgia Tech, was also involved in the sale of DNS data directly to the U.S. government.”
The court documents state: “Rodney Joffe and certain companies with which he was affiliated, including officers and employees of those companies, have provided assistance to and received payment from multiple agencies of the United States government. This has included assistance to the United States intelligence community and law enforcement agencies on cyber security matters.
“Certain of those companies have maintained contracts with the United States government resulting in payment by the United States of tens of millions of dollars for the provision of, among other things, Domain Name System (‘DNS’) data. These contracts included classified contracts that required company personnel to maintain security clearances.”
As reported by the Washington Post: “The stipulation naming entrepreneur Rodney Joffe was the clearest confirmation to date of web histories being sold directly to federal law enforcement and intelligence agencies, instead of through information brokers exempt from restrictions on what telephone companies and websites can share with the government.”
Wyden’s letter continues: “The data that Neustar sold to Georgia Tech may have also included data collected from consumers who were explicitly promised that their data would not be sold to third parties. Between 2018 and 2020, Neustar acquired a competing recursive DNS service, which had previously been operated by Verisign. That service had been advertised to the public by Verisign with unqualified promises that “your public DNS data will not be sold to third parties.”
“When the product changed hands, users of Verisign’s service were seamlessly transitioned to DNS servers that Neustar controlled. This meant that Neustar now received information about the websites accessed by these former Verisign users, even though neither Verisign nor Neustar provided those users with meaningful, effective notice that the change of ownership had taken place, or that Neustar did not intend to honor the privacy promises that Verisign had previously made to those users. It is unclear if the data Neustar sold to Georgia Tech included data from users who had been promised by Verisign that their data would not be sold.
“This is because both Neustar and Verisign have refused to answer questions from my office necessary to determine this important detail.”