The Washington Post has just published another revealing scoop about the National Security Agency. The paper is reporting that the NSA is currently collecting contact lists from email and instant message services from users worldwide — and Americans are among those whose data is being harvested.
The revelations come courtesy of senior intelligence officials and documents provided by Edward Snowden. The program is said to feed off of email address books and buddy lists that are transmitted by various online services when users sign on, write a message, or sync their computers or mobile devices to one another. Instead of targeting individual users, the lists are described as being collected en masse, in the hopes of letting the NSA map out and discover relationships between various players. A similar NSA program mapping the social ties and relationships of Americans was revealed last month.
Nearly 700,000 email address books collected in one day
According to an internal PowerPoint presentation reviewed by the Post, one day last year the NSA collected nearly 700,000 email address books from the likes of Yahoo (444,743), Facebook (82,857), and Gmail (33,697), amongst other services. The presentation also specified that on a given day around 500,000 buddy lists from chat services were collected, as well as inbox displays from web-based email services; the latter can include contact information as well as the first few lines of emails themselves in certain cases.
The program relies on agreements with foreign telecom companies and foreign intelligence services that oversee facilities that handle major internet switches. While the collection itself doesn't occur on US soil, anonymous intelligence officials told the Post that the contact information from Americans was indeed collected in the large sweeps.
Americans could have their address books collected without ever leaving US soil
The Post points out that the NSA hasn't been given direct authorization by Congress or the FISA court for the broad collection of contact lists, and that it would in fact be illegal if the agency did so within the United States. Utilizing overseas collection points gets the NSA around those restrictions, according to the report. One official is quoted as saying that when data is collected from those particular locations, "the assumption is you're not a US person." However, the issue isn't quite that simple: companies like Google use servers around the world to provide consistent service, meaning a user in California could have their data be sent through one of the international collection points the NSA is pulling from without ever leaving the United States themselves. NSA analysts are only able to search or share the contacts database, according to one official, if they can make the case that information contained within is a "valid foreign intelligence target in and of itself."
Given that the data is captured while in transit, companies like Google and Yahoo don't need to be notified when information from their respective services is captured. The Post also notes the large discrepancy between data collected from Yahoo versus other online services, speculating that the company's relatively late adoption of default SSL encryption may be partially to blame.
The mass collection of address books and contact lists has actually lead to a large storage problem due to an issue everyday users are all too familiar with: spam. According to the documents, databases have been filled up with data from such enormous amounts of spam that the NSA has had to put out "emergency detasking" orders at times to prevent itself form being overrun. A page posted from the NSA Intellipedia — essentially a wiki for the NSA — describes some ways in which the agency tries to deal with the issue.