The NSA Collects Contact Lists, Too

The NSA scoops up contacts from millions of email and instant messaging address books for personal accounts, according to the latest Washington Post report based off of a leak from NSA whistleblower Edward Snowden.

This article is from the archive of our partner .

The NSA scoops up contacts from millions of email and instant messaging address books for personal accounts, according to the latest Washington Post report based off of a leak from NSA whistleblower Edward Snowden. According to the Post, some of those accounts are owned by Americans.

Here's how it works: every time a user synchs an address book with a remote server, or (depending on the service) logs into an account, the NSA can collect it. And they're doing so, in bulk, rather than by targeting individual users. The program relies on agreements with foreign internet providers — FISA makes such collection from American facilities illegal. But while the data mining of address books happens overseas, it includes account information belonging to Americans. Not only that, the Post notes, but the NSA "is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets." So, how many contacts are we talking about here? This many:

During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers

That's via a PowerPoint slide obtained by the Post through Snowden — the Post speculates that the vast number of Yahoo collections, compared to the others, comes from the fact that Yahoo doesn't encrypt user connections automatically (the company is changing that next year). On top of the daily collection figures above, agency also collects 500,000 "buddy lists" from chat services on a typical day. That's so much data, apparently, that the sheer volume "has occasionally threatened to overwhelm storage repositories." And yes, that's in part because of all the spam in the mix. The spam problem is so overwhelming that the agency is trying to figure out how to reduce its "over collection" of repetitive, useless spam contacts. 

The Office of the Director of National Intelligence's spokesperson Shawn Turner gave the Post a familiar defense of the program, noting that the NSA must abide by rules designed to "minimize" the collection of data pertaining to Americans. Turner added that the agency "is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers. We are not interested in personal information about ordinary Americans.”

U.S. intelligence uses the address books to examine relationships between various targets, according to the Post's report. And there's a lot there to work with. The paper outlines some of the things intelligence officials can figure out just from a contact list:

Address books commonly include not only names and e-mail addresses but also telephone numbers, street addresses, and business and family information. In-box listings of e-mail accounts stored in the “cloud” sometimes contain content such as the first few lines of a message. Taken together, the data would enable the NSA, if permitted, to draw detailed maps of a person’s life, as told by personal, professional, political and religious connections. The picture can also be misleading, creating false “associations” with ex-spouses or people with whom an account holder has had no contact in many years.

Because of the methods used to collect the information, the Post explains, the agency can basically enforce its own rules on itself, without going to the FISA court for approval. And it doesn't have to inform the companies hosting the data of the collection. That's evidenced by the series of statements obtained by the Post's reporters on the revelations from the companies to whom users voluntarily give up their contacts' information. Google denied having either "knowledge nor participation" in the program, Microsoft said that "we would have significant concerns if these allegations about government actions are true," while Facebook said "we did not know and did not assist” in the collection of address books and contact lists.

(Image via the Washington Post)

This article is from the archive of our partner The Wire.