Each day the National Security Agency scoops up half a million “buddy list” and in-box e-mail address lists from instant chat and Web-based e-mail services worldwide, according to internal agency documents released Monday by The Washington Post.
Using computerized electronic filters, the NSA snags the buddy lists and address books as they flow through telecommunications servers and other systems overseas, where US laws do not restrict wholesale data gathering, the Post reported, citing conversations with unnamed senior US intelligence officials.
Collection happens most often when computers and smart phones allow their users to “sync” their contact lists to services such as Yahoo, Facebook, and Google. At the same time, Web-based e-mail services often produce detailed lists of recipients on the fly, as e-mails are sent and received.
On one typical day, the NSA collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from other providers, one of two documents shows. Both documents were leaked to the Post by former NSA contractor Edward Snowden.
At this rate, the take is about 250 million such lists each year.
Such lists are “metadata rich,” one of the documents notes. Besides e-mail addresses, they often include phone numbers, names, and sometimes the subject line and even first lines of an e-mail. Suspected terrorists and their contacts can be compared to such lists to find new leads.
“You need the haystack to find the needle,” said Gen. Keith Alexander, NSA director, defending the agency’s collection programs at the Aspen Security Forum in July.
But the just-revealed approach also inevitably captures tens of millions of names and other information belonging to Americans, the officials told the Post. It would be illegal if collected in the United States, they said, but the information was collected overseas under authority of presidential Executive Order 12333, which outlines requirements of US intelligence agencies operating overseas.
Although controversial, bulk collection of Americans’ telephone metadata has so far been deemed legal under the Patriot Act by the Foreign Intelligence Surveillance Court. Also, online records collected from US Internet companies under an NSA program known as PRISM have been justified under the FISA Amendments Act of 2008.
The NSA “is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers, and drug smugglers,” a spokesman for the Office of the Director of National Intelligence told the Post. “We are not interested in personal information about ordinary Americans.”
The NSA follows rules laid out by the US attorney general that require the agency to “minimize the acquisition, use, and dissemination” of information about a US citizen or permanent resident of the US, the spokesman said.
But that’s not particularly reassuring to civil libertarians, who say the emerging picture is increasingly one in which a sprawling intelligence agency use many sophisticated programs to collect vast amounts of information on Americans – one way or another.
“E-mail address books, especially when combined with other information the NSA already collects, tell the government the story of your private life,” writes Faiza Patel, co-director of the Liberty and National Security Program at the Brennan Center for Justice, in an e-mail interview.
“By plumbing this information, the NSA can figure out your political and religious beliefs, your intimate relationships, your medical issues, even your financial concerns,” she writes. “The fact that the information is collected abroad doesn’t make a difference for privacy concerns. The government itself concedes that the number of law-abiding Americans whose details are swept up in this program numbers in the millions or even tens of millions.”
Others say it is becoming obvious that NSA operations have outpaced day-to-day oversight of the agency by congressional committees.
“What we’re seeing is that the government collection programs are many-headed,” says Lee Tien, a senior staff attorney with the Electronic Frontier Foundation, a San Francisco Internet free-speech and privacy group. “We’re also seeing emerging efforts to reform this machine. But how do you do that when you don’t know what all the parts of the machine are collecting?”
With Internet data streams merged into fiber-optic cables and flowing through nodes and data centers run by global companies like Google in many countries, “the scope of the collection” under the FISA law needs to be analyzed in relation to traditional espionage collection efforts to ensure that Americans’ privacy is protected, Mr. Tien says.
Until then, he says, encryption appears to be the best way to try to maintain privacy. Spokesmen for Facebook, Google, Microsoft, and Yahoo all told the Post they were not aware of the buddy list and e-mail in-box list collection. Yahoo said it would begin encrypting its communications traffic in January.
“We have neither knowledge of nor participation in this mass collection of Web-mail addresses or chat lists by the government,” Google spokeswoman Niki Fenwick told the Post. A Microsoft spokeswoman said her company “does not provide any government with direct or unfettered access to our customers’ data.”
“We would have significant concerns if these allegations about government actions are true,” she added.