NSA Collects Email Contact Lists, Instant Messaging Chat Buddy Lists From Overseas With No Oversight At All

from the well,-there's-that dept

The Washington Post is out with the latest revelations from the Snowden leaks and it shows that the NSA relies on foreign telcos and "allied" intelligence agencies to scoop up data on email contact lists and instant messaging buddy lists to help build its giant database of connections. Remember a few weeks ago how it was reported that the NSA was basically building a secret shadow social network? It seems like this might be one of the ways it's able to tell who your friends are.

There are a variety of important points here. First off, this information is not coming directly from the tech companies (which, again, suggests that earlier claims that the NSA had direct access to all their servers was mistaken). Rather they're picking this information up off the backbone connections in foreign countries. It also explains why they get so much data from Yahoo -- because, for no good reason at all, Yahoo hasn't forced encryption on its webmail users until... the news of this started to come out.

And here's the big problem: because all of this information is collected overseas, rather than at home, it's not subject to "oversight" (and I use that term loosely) by the FISA court or Congress. Those two only cover oversight for domestic intelligence. The fact that the NSA can scoop up all this data overseas is just a bonus.

Also, while the program is ostensibly targeted at "metadata" concerning connections between individuals, the fact that it collects "inboxes" and "buddy lists" appears to reveal content at times. With buddy lists, it can often collect content that was sent while one participant was offline (where a server holds the message until the recipient is back online), and with inboxes, they often display the beginning of messages, which the NSA collects.
Separately, because this is allowing them to gather so much data, it apparently overwhelmed the NSA's datacenters. At times, this is because they get inundated with... spam. For example, one of the documents revealed show that a target they had been following in Iran had his Yahoo email address hacked for spamming, and that presented a problem:
In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.”

The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf.

After nine days of data-bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.”
Because of this mess, the NSA has tried to stop collecting certain types of information, doing "emergency detasks" of certain collections. This, yet again, shows how ridiculous Keith Alexander's "collect it all" mantra is. When you collect it all, you get inundated with a ton of bogus data, and the information presented here seems to support that.




Hide this

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

Filed Under: buddy lists, chat, contacts, email, information, nsa, nsa spying, nsa surveillance, telcos


Reader Comments

Subscribe: RSS

View by: Time | Thread


  1. icon
    Mike Brown (profile), 14 Oct 2013 @ 6:12pm

    Well I guess we owe a great big "thank you" to all those heirs of assassinated Nigerian warlords. By spamming us with their requests to take thier money, they were actually shielding us from the NSA's email dragnet.

    link to this | view in thread ]

  2. identicon
    Me, 14 Oct 2013 @ 6:14pm

    Wow. They've already violated the 1st, 2nd, 4th, 5th, 6th, 8th, 9th and 10th amendments already so they may as well start in on the rest...

    "Immunity from state scrutiny of petitioner's membership lists is here so related to the right of petitioner's members to pursue their lawful private interests privately and to associate freely with others in doing so as to come within the protection of the Fourteenth Amendment."

    -- NAACP vs State of Alabama

    link to this | view in thread ]

  3. This comment has been flagged by the community. Click here to show it
    identicon
    out_of_the_blue, 14 Oct 2013 @ 6:37pm

    Apparently ranked by unpopularity:

    "444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers,"

    Think it's clear that Yahoo followed by Microsoft are the most unpopular / most despised. SO what I surmise is that this "new" factoid is sheerly PR to create the illusion of distance between the spying mega-corporations and NSA, putting the most unfavored at top of list. There's no other explanation given than similarly biased musing, so don't claim that you know...

    Mike pounces on and plays up: "suggests that earlier claims that the NSA had direct access to all their servers was mistaken" -- when the only "evidence" here is another alleged Powerpoint slide. -- But there IS more evidence so publicly available that don't require proof: Google and the other mega-corps go on getting tens of billions every year, are effectively exempt from anti-trust, pay almost no taxes, billions kept offshore... The payoffs are indirect but can't be much clearer that the mega-corporations ARE willingly going along with NSA. Pro-corporate Mike just refuses to see the BILLIONS -- while clutches at one contrary Powerpoint slide.

    link to this | view in thread ]

  4. identicon
    Anonymous Coward, 14 Oct 2013 @ 6:39pm

    I may be reading this incorrectly...

    But is this article suggesting that the fastest, easiest way to get my email removed from the NSA dragnet is to let a spambot take it over?

    link to this | view in thread ]

  5. identicon
    Anonymous Coward, 14 Oct 2013 @ 6:51pm

    Re: Apparently ranked by unpopularity:

    You have never surmised something correctly in your life.

    link to this | view in thread ]

  6. icon
    Mike Brown (profile), 14 Oct 2013 @ 7:08pm

    Re: Apparently ranked by unpopularity:

    You and your Google bashing! Give it a rest.

    Yahoo and Hotmail predate Gmail by 10 years! It stands to reason that they'd have significantly more accounts for the NSA to snoop into.

    link to this | view in thread ]

  7. icon
    DerekCurrie (profile), 14 Oct 2013 @ 7:16pm

    Overseas surveillance: Obviously. Welcome to the 21st Century.

    FUD or valid, there are endless incentives for every country on the planet to surveil every other country. That's an ancient human problem. Humans don't trust each other. We constantly have trust issues. So obviously the NSA is going to surveil everything it can lay its hands on, and have time to analyze, from outside the USA. Utter DUH Factor.

    The problem is when the NSA destroys the 4th Amendment of the US Constitution. That's not acceptable. Bullying the FISA courts is not acceptable. Treating US citizens as default criminals is not acceptable. Collecting ANY citizen surveillance data without probable cause is not acceptable. It is in fact treasonous behavior punishable by the severest penalty of law.

    For review, the 4th Amendment to the US Constitution:

    "The right of the people to be secure in their persons, houses, papers, and effects, against unreasonable searches and seizures, shall not be violated, and no Warrants shall issue, but upon probable cause, supported by Oath or affirmation, and particularly describing the place to be searched, and the persons or things to be seized."

    And directly quoting Benjamin Franklin:

    "They who can give up essential liberty to obtain a little temporary safety, deserve neither liberty nor safety."

    And directly quoting Theodore Roosevelt:

    "To announce that there must be no criticism of the president, or that we are to stand by the president, right or wrong, is not only unpatriotic and servile, but is morally treasonable to the American public."

    IOW: It's prosecution time, Bush, Obama, Republican, Democrat, off to prison and trial with you.

    link to this | view in thread ]

  8. icon
    dave blevins (profile), 14 Oct 2013 @ 7:34pm

    NSA as a target

    Looks like NSA is becoming more and more attractive as a hacker target - one break-in and you get it all !!

    link to this | view in thread ]

  9. identicon
    Anonymous Coward, 14 Oct 2013 @ 7:35pm

    Re:

    They arguably violated the third amendment when they forced companies to put computers into their data centers. What's the seventh amendment say, I'm sure they are trying hard on that one as well.

    link to this | view in thread ]

  10. identicon
    Anonymous Coward, 14 Oct 2013 @ 7:39pm

    Re: Re:

    The 7th amendment is right to trial by jury. So I guess they got rid of that one with gitmo.

    link to this | view in thread ]

  11. identicon
    Baneki, 14 Oct 2013 @ 11:07pm

    The hits just keep coming

    Just when you think you've seen it hit rock bottom, the NSA comes out looking even worse with the latest data dump. It's a damned disgrace.

    link to this | view in thread ]

  12. identicon
    Anonymous Coward, 14 Oct 2013 @ 11:46pm

    Re: Overseas surveillance: Obviously. Welcome to the 21st Century.

    All servers are 'overseas' for us Brits. So all those taps GCHQ does for their NSA masters, are on Brits.

    And surprise surprise, the '37000 selectors' the NSA runs on that data? Well it was doing other things with the data, like grabbing all the address books, buddy lists, passwords, any keys it can on British data.

    All helped by traitors in GCHQ and MI5 and a few in the Cabinet.

    Thank you Snowden. It's a pretty bleak world, and its clear we don't have a free democracy in the UK, but at least we know where we stand now.

    link to this | view in thread ]

  13. identicon
    Anonymous Coward, 15 Oct 2013 @ 2:53am

    and regardless of what changes are made, if any, the NSA and all other security agencies will continue doing exactly what they have been doing up to now. if anyone was serious in sorting this mess out, they would have actually done something by now but not a single change has been made. the one thing that would have made a difference was stopped by a few totally uneducated and unconcerned Congress people. that was the one and only chance and it's gone!

    link to this | view in thread ]

  14. identicon
    Dan, 15 Oct 2013 @ 3:58am

    This is just infuriating. I use an Android phone, and sync my phone contacts with my Gmail account. Now the NSA might be hoovering my contact list (including unlisted and private numbers and email accounts) since I am a non-American. Gah!

    link to this | view in thread ]

  15. icon
    Ninja (profile), 15 Oct 2013 @ 4:52am

    Re: I may be reading this incorrectly...

    And we thought spam was trash...

    link to this | view in thread ]

  16. identicon
    Anonymous Coward, 15 Oct 2013 @ 5:50am

    Re: I may be reading this incorrectly...

    Or you could have some fun sending spam to tons of people, in ways met to be as hilarious as possible.

    Like for example, send all the women on your contact lists spam email selling them erectile dysfunction and male penis enhancement spam.

    And send all the men emails telling them to lose weight with some expensive weight loss medication so they can all fit into their bikinis by spring! (I've seen spam viruses actually do this one when hijacking accounts where almost all the contacts are men)

    link to this | view in thread ]

  17. identicon
    Anonymous Coward, 15 Oct 2013 @ 7:08am

    Now we know why they outlawed spam.

    link to this | view in thread ]

  18. identicon
    Anonymous Coward, 15 Oct 2013 @ 8:53am

    So how long before we find out that it's not just metadata, not just your buddy list nor contact list but also the contents of every email.

    Greenwald says he has some major blockbusters coming. I can not help but believe that is one of them. So far there is little they haven't been into. I just can not see them leaving out the main purpose of sending an email if they are interested in who you talk to, for how long, where. Seems like stealing the bread and leaving the meat and that don't sound right.

    link to this | view in thread ]

  19. identicon
    FM HIlton, 15 Oct 2013 @ 9:54am

    How long before real-time buddy lists?

    Ok, so they can get this stuff from overseas, supposedly. Do you really want to believe this?

    I mean, they've admitted to so much stuff being collected here, (with absolutely no apologies, either) and we just take it.

    They're lying-of course they're taking it from domestic services-and anything you say can and will be used against you in a court of law, too.

    Too bad nobody will ever be prosecuted for this and other crimes against the Constitution. Guess the DOJ has better things to do.

    link to this | view in thread ]

  20. icon
    John Fenderson (profile), 15 Oct 2013 @ 11:20am

    Re:

    and sync my phone contacts with my Gmail account


    Don't do that, then. You can use an Android phone without syncing any data to Google's (or anyone else's) servers at all. I highly recommend that you just store everything on the phone itself, and back up the data onto your desktop machine.

    link to this | view in thread ]

  21. icon
    Spaceman Spiff (profile), 15 Oct 2013 @ 3:39pm

    Why am I NOT surprised!

    That being afflicted by a spambot would keep me off of the NSA's "watch this dude" list... :rolleyes:

    link to this | view in thread ]


Follow Techdirt
Essential Reading
Techdirt Deals
Report this ad  |  Hide Techdirt ads
Techdirt Insider Discord

The latest chatter on the Techdirt Insider Discord channel...

Loading...
Recent Stories

This site, like most other sites on the web, uses cookies. For more information, see our privacy policy. Got it
Close

Email This

This feature is only available to registered users. Register or sign in to use it.