NSA Collects Email Contacts and Buddy Lists from 500,000 Accounts a Day

Another fresh leak from the Snowden files reported in the Washington Post reveal how the NSA is collecting data, specifically the online address books of American citizens.  It’s just another of the continuing disclosures of the National Security Agency’s surveillance activity to come from the files and classified documents that were taken from Edward Snowden, the government contractor currently in self-exile in Russia.  In the report, millions of everyday citizens are caught up in this collection of email contact lists from which digital maps are created, all in an effort to find terrorist connections within this information.  The scope of this collection is massive, as one daily report indicates – over 600,000 email address books were taken from Yahoo accounts, Hotmail accounts, Gmail accounts, Facebook accounts, and others.  The rate of collections covers more than 250 million address books per year, as indicated in the NSA PowerPoint that this report is based on.   The operation also collects information from buddy lists on messaging services as well.

During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to aninternal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million a year.

Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the inbox displays of Web-based e-mail accounts.

How They Do It: Overseas Collection

The report also shows how the NSA is working around a pretty gigantic loophole.  You see, the agency doesn’t have the explicit authority granted by any known public document from the secret FISA court or any other court to capture this specifically on American citizens.  Therefore, according to the Post, the NSA is collecting this information overseas.  So Americans on the email or buddy lists of anyone within the scope of this international collection are certainly part of this operation.  The number caught up in the game: millions.

The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”

Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said.

When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”

So, the assumption they work under is that Americans only email Americans.  Once it hits overseas, you must not be an American.  I mean – that’s probably the best way to group the data, to play the devil’s advocate here.  How right that is, or how it may or may not violate your rights, that’s another matter.

Tens of Millions of American Accounts Possibly Affected

The collection depends on secret arrangements with foreign telecommunications companies or allied intelligence services in control of facilities that direct traffic along the Internet’s main data routes.

Although the collection takes place overseas, two senior U.S. intelligence officials acknowledged that it sweeps in the contacts of many Americans. They declined to offer an estimate but did not dispute that the number is likely to be in the millions or tens of millions.

Checks And Balances – Trust us :)

As indicated in the report, the contact lists are tremendously more valuable than call collection alone.  The data has extended values like phone numbers, street addresses, business and family information.

A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”

While the NSA feels it can be trusted because of this checks and balances system, we don’t have to go back very far to recall several reports from the agency itself and in the news about numerous violations that happened with other collected data.

Email Providers: Not Involved and The NSA Hates Spam Too

The report indicates that Yahoo, Google, and Microsoft have stated that they have not participated in this access of information.  There is speculation that Google has been storing data overseas to avoid these NSA operations and that comes up again in this report as well.  Google also moved Gmail to encrypted email connections back in 2010, perhaps related to this as well.  It is also notable that Yahoo has a significantly higher number of accounts being accessed than the other major providers, a statistic that is most likely due to the fact that their connections are not encrypted by default.  Details on the volume of data within the operation are also rather interesting, including one particular detail that spam and other low value noise has on occasion caused trouble for the email operation.  There have been occasions that have caused the repositories to be pushed to the edge of being overwhelmed, leading to “emergency detasking” orders, halting the intake until the issues could be overcome. 

About John Casaretto

SiliconANGLE's CyberSecurity Editor - Have a story tip or feedback? Please reach out to me! Security is as critical as ever and our mission is to uncover those stories that will help our industry be more secure.