NSA Recognized It Was Collecting Too Much Data When Harvesting Millions of Contact Lists

Logo for Special Source Operations branch of NSA from PowerPoint disclosed by Edward Snowden

Millions of users from around the world have had their contact lists from their personal email and instant messaging accounts harvested by the National Security Agency, according to a report from The Washington Post’s Barton Gellman and Ashkan Soltani.

The collection “sweeps in the contacts of many Americans,” as two unnamed “senior US intelligence officials” confirmed. That number could be “in the millions or tens of millions.”

The previously undisclosed program is detailed in documents obtained from former NSA contractor Edward Snowden. Congress or the Foreign Intelligence Surveillance Court has not authorized the collection of “contact lists in bulk.” It would be illegal to do this kind of collection at facilities in the United States, however, the agency is able to avoid these legal restrictions by “intercepting contact lists from access points ‘all over the world.'” Since none of these points are on US territory, there are no limits to what can be collected and stored.

The agency does not have to restrict its intake to “contact lists belonging to specified foreign intelligence targets.” Anything passing through is assumed to not be from US persons.

Additionally:

In practice, data from Americans is collected in large volumes — in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.

The only check against abuse by officials in the NSA appears to be that they will not search the database containing all of this data unless a case can be made that there is information on a “valid foreign intelligence target.” However, there is no outside review of the NSA’s decision to conduct a search of this data. It can abuse its authority, stretch what is permissible under “minimization rules,” and not face any legal challenge or other consequences.

An internal PowerPoint presentation slide indicates that on a single day in 2012 the Special Source Operations branch collected the following number of email address books: 444,743 from Yahoo!, 105,068 from Hotmail, 33,697 from Gmail, 82,857 from Facebook and 22,881 from other providers. [cont’d.]

NSA Recognized It Was Collecting Too Much Data When Harvesting Millions of Contact Lists

Logo for Special Source Operations branch of NSA from PowerPoint disclosed by Edward Snowden

Millions of users from around the world have had their contact lists from their personal email and instant messaging accounts harvested by the National Security Agency, according to a report from The Washington Post’s Barton Gellman and Ashkan Soltani.

The collection “sweeps in the contacts of many Americans,” as two unnamed “senior US intelligence officials” confirmed. That number could be “in the millions or tens of millions.”

The previously undisclosed program is detailed in documents obtained from former NSA contractor Edward Snowden. Congress or the Foreign Intelligence Surveillance Court has not authorized the collection of “contact lists in bulk.” It would be illegal to do this kind of collection at facilities in the United States, however, the agency is able to avoid these legal restrictions by “intercepting contact lists from access points ‘all over the world.'” Since none of these points are on US territory, there are no limits to what can be collected and stored.

The agency does not have to restrict its intake to “contact lists belonging to specified foreign intelligence targets.” Anything passing through is assumed to not be from US persons.

Additionally:

In practice, data from Americans is collected in large volumes — in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.

The only check against abuse by officials in the NSA appears to be that they will not search the database containing all of this data unless a case can be made that there is information on a “valid foreign intelligence target.” However, there is no outside review of the NSA’s decision to conduct a search of this data. It can abuse its authority, stretch what is permissible under “minimization rules,” and not face any legal challenge or other consequences.

An internal PowerPoint presentation slide indicates that on a single day in 2012 the Special Source Operations branch collected the following number of email address books: 444,743 from Yahoo!, 105,068 from Hotmail, 33,697 from Gmail, 82,857 from Facebook and 22,881 from other providers.

This typical intake suggests more than 250 million address books are collected in a year. However, on a single day, less than 14% could be attributed a target, which means at that rate the NSA collected and stored about 215 million contact lists of users it would never be able to use.

Five hundred thousand “buddy lists” and inboxes were collected on a typical day, according to the same presentation. Ninety percent of the data is collected because the contact lists contained what the NSA was looking for in the search. In other words, the data was most often collected from a person who was not a target or whose content was definitely not relevant to any sort of investigation.

The collection of too much data that is not useful and will never be necessary for any investigation is acknowledged as a problem in a page of the NSA’s Wikipedia called “Intellipedia.”

In 2011, a “significant portion of collection was repetitive.” The data was also found to be “of little foreign intelligence value.” (more…)