In June, we learned that the NSA had been collecting US call records, which created quite a controversy. The NSA’s Director, General Keith B. Alexander, defended “bulk” collection as an essential counterterrorism and foreign intelligence tool, saying, “You need the haystack to find the needle.”
Now, the NSA is collecting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to American citizens. The program they’re using intercepts e-mail address books and buddy lists from instant messaging services as they move across global data links.
Rather than targeting individual users, the NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world’s e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and to map relationships within a much smaller universe of foreign intelligence targets Each day, the NSA collects contacts from an estimated 500,000 buddy lists.
They say they are focused on discovering and developing intelligence about terrorists, human traffickers and drug smugglers.
They’re not interested in personal information about ordinary Americans. However, the data gathered would enable the NSA, to draw detailed maps of a person’s life, based on personal, professional, political and religious connections. That picture can be misleading, creating false associations with people an account holder hasn’t spoken to in many years.
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions by intercepting contact lists from access points “all over the world,” one official said.
Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets.
When information passes through the overseas collection apparatus, the assumption is you’re not a US citizen. However, many Americans live and work overseas, Some data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.
A senior US intelligence official said the privacy of Americans is protected, despite mass collection, because there are checks and balances built into their tools. NSA analysts may not search within the contacts database or distribute information from it unless they can make the case that something in there is a valid foreign intelligence target in and of itself.
The NSA draws on authority in the Patriot Act for its bulk collection of domestic phone records, and it gathers online records from US Internet companies, in a program known as PRISM, under powers granted by Congress in the FISA Amendments Act. Those operations are overseen by the Foreign Intelligence Surveillance Court.
Because the agency captures contact lists “on the fly” as they cross major Internet switches, rather than “at rest” on computer servers, the NSA has no need to notify the US companies that host the information or to ask for help from them. Google, Microsoft, and Facebook all said they didn’t know about this and did not assist.
The NSA collects more than twice as many address books from Yahoo than the other big services combined, probably because it has left connections to its users unencrypted. Yahoo says starting in January, it will begin encrypting all its e-mail connections. Google was the first to secure all its email connections in 2010. People with inside knowledge said the move was intended in part to thwart large-scale collection of its users’ information by the NSA and other intelligence agencies.
Chances are the NSA isn’t interested in your emails or buddy list, however, it certainly does feel like an invasion of privacy.