Wednesday, 16 October 2013

NSA Collecting “Hundreds of Millions” of E-mail, Instant Messaging Contacts

Written by 

It seems as if every day brings a new revelation about the National Security Agency’s (NSA) snooping into Americans’ private lives. The latest, according to the Washington Post, is that the agency is annually vacuuming up “hundreds of millions” of e-mail and instant-messaging contact lists, many belonging to American citizens — and doing so without any legal justification or congressional oversight.

“Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers,” the Post reported in a story based on information from “senior intelligence officials and top-secret documents provided by former NSA contractor Edward Snowden.” The NSA then “intercepts” these contact lists “as they move across global data links.”

None of this is authorized by law or even by the secret court that oversees intelligence-gathering activities under the Foreign Intelligence Surveillance Act (FISA). The NSA cleverly avoids FISA by intercepting data from foreign sources under “secret arrangements with foreign telecommunications companies or allied intelligence services in control of facilities that direct traffic along the Internet’s main data routes,” the Post wrote.

“Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets,” an intelligence official, speaking on condition of anonymity, told the paper. Conveniently, this allows the NSA to collect such data on countless individuals, both foreigners and Americans, who are not suspected of any crimes. Moreover, because the program falls outside the purview of FISA or other domestic laws, the NSA only has to satisfy itself that its searches of the gathered data are related to a foreign intelligence target before it can commence combing through the contact lists, giving the agency essentially carte blanche to engage in fishing expeditions.

Intelligence officials would not hazard a guess as to how many Americans are subject to such unconstitutional searches and seizures “but did not dispute that the number is likely to be in the millions or tens of millions,” the Post said. Indeed, given the sheer number of contact lists swept up by the NSA, it would defy logic to imagine that Americans are not getting caught in the agency’s dragnet:

During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million a year.

Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts.

The named companies all denied any knowledge of the NSA’s program, which comports with the agency’s assertion that it need not notify them that it has captured the data they host since it does so while the data is in transit rather than while it is sitting on servers. Of note, however, is that Yahoo was the source of over four times as many captures as any other host listed, perhaps because Yahoo does not encrypt e-mail connections (though the company told the Post it would do so beginning in January). Google, meanwhile, secures all its e-mail communications through Secure Sockets Layer (SSL) encryption. This suggests that although the NSA is known to be able to crack most encryption methods, “ubiquitous use of SSL can foil NSA eavesdropping,” security expert Bruce Schneier observed.

As bad as the NSA’s collection of Americans’ telephone records is, the contact-list gathering could be far worse, argued the Post:

Advertisement

Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. Inbox listings of e-mail accounts stored in the “cloud” sometimes contain content, such as the first few lines of a message.

Taken together, the data would enable the NSA, if permitted, to draw detailed maps of a person’s life, as told by personal, professional, political and religious connections. The picture can also be misleading, creating false “associations” with ex-spouses or people with whom an account holder has had no contact in many years.

“This is incredibly intimate information,” Schneier pointed out, “all collected without any warrant or due process.”

The government, of course, assured Post readers that they have nothing to fear from yet another intrusive federal surveillance program. Shawn Turner of the Office of the Director of National Intelligence told the newspaper that the agency is gathering the data solely to investigate “valid foreign intelligence targets” and is “not interested in personal information about ordinary Americans.” Besides, he added, there are internal rules in place to prevent the abuse of the contact-list data. Similar rules, however, did not prevent NSA agents from abusing their access to other data thousands of times in 2011 and early 2012, nor did the stipulations keep them from using the agency’s resources to spy on current and former lovers.

If there is any good news to be found in this story, it is that, as has long been suspected, the NSA is collecting far too much data for it to be of much use. In fact, at times the agency has been so overwhelmed with contact data that it had to stop collecting it from certain individuals. “Spam has proven to be a significant problem for the NSA — clogging databases with information that holds no foreign intelligence value,” the Post reported.

So the next time you get an e-mail telling you that you’re in line for a fortune left behind by a rich Nigerian, feel free to smile a little as you click “delete,” knowing that the two-bit con artist who mildly annoyed you has also managed to ever so slightly confound the best-laid plans of Big Brother.