Wyden cites evidence from the prosecution of Democratic lawyer Michael Sussmann to suggest the company breached users’ privacy

Sussmann was acquitted of misleading the FBI about who he was representing in 2016 when he passed along data that he said showed suspicious connections between a computer controlled by then-candidate Donald Trump and a Russian bank. The FBI found nothing to substantiate the accusation.

The stipulation naming entrepreneur Rodney Joffe was the clearest confirmation to date of web histories being sold directly to federal law enforcement and intelligence agencies, instead of through information brokers exempt from restrictions on what telephone companies and websites can share with the government.

Companies associated with Joffe “have maintained contracts with the United States government resulting in payment by the United States of tens of millions of dollars for the provision of, among other things, Domain Name System (‘DNS’) data. These contracts included classified contracts that required company personnel to maintain security clearances,” the stipulation read in part.

Wyden asked for a probe of whether the company, now called Neustar Security Services, where Joffe was a top executive, should have warned consumers that it was selling sensitive information about their web habits.

Most of those whose records were shared never knew they interacted with Neustar. The data was obtained largely from domain name lookup services that Neustar provided to internet service providers, allowing consumers who type in the words of a website address to connect to the numerically labeled location recognized by computers.

That would not include search queries on Google or other information about where on a large site the consumer went. But it could still be very revealing, Wyden wrote.

“Knowing that a user visited the website of the National Suicide Prevention Hotline (suicidepreventionlifeline.org), the National Domestic Violence Lifeline (thehotline.org) or Power to Decide’s Abortion Finder service (www.abortionfinder.org) can all reveal deeply personal and private information about a person,” he wrote to FTC Chair Lina Khan.

Though Neustar’s privacy policy says it may share information with others, Wyden said that the outright sale of such data, for what records show was millions of dollars, would have been enough to send some users elsewhere and therefore should have been revealed. Most consumers allow their internet provider to send them where they want to go, but Google, Cloudflare and others also offer free DNS lookups.

Wyden said it would be worse if Neustar had also sold data it obtained from VeriSign after it bought VeriSign’s DNS business, a deal announced in 2020, because VeriSign had assured its customers that it would never share their information.

Wyden said Neustar staff refused to say whether VeriSign data was included in what it sold to the government and to government contractors. Executives would only say that they are not now selling DNS data. Wyden said that under previous FTC cases, an acquiring company cannot change the previous owner’s privacy commitments without notice.

“Neustar did not take sufficient steps to warn consumers that it no longer intended to honor these promises, and as such, appears to have engaged in business practices substantially similar to those that the FTC has previously argued violated the FTC Act,” Wyden wrote.

Neustar did not respond to an email seeking comment. The company has previously been reported to have sold DNS data to researchers at the University of Georgia, who in turn conducted searches for federal agencies.