Risk
10/15/2013
01:07 PM
Connect Directly
RSS
E-Mail
50%
50%
Repost This

NSA Harvests Personal Contact Lists, Too

Surveillance agency's bid to connect the dots leads to its annually harvesting 250 million global webmail and IM account contact and buddy lists.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
The National Security Agency's massive digital dragnet extends even to intercepted contact lists, culled in part from people's online email address books and instant messaging (IM) "buddy lists." In fact, the agency amasses an estimated 250 million contact lists per year from around the world, collecting a volume of data that at times has strained the agency's technological capabilities.

That information comes via a Content Acquisition Optimization PowerPoint presentation, first published Monday by The Washington Post, that revealed the agency's apparently insatiable appetite for people's personal contact lists. The document is just the latest release from the trove of confidential NSA documents leaked by former agency contractor Edward Snowden.

Where does the agency find all of its intercepted contact information? In just one day -- described as typical -- the NSA's Special Source Operations branch tally of intercepted contact information included address books from Yahoo (444,743), Hotmail (105,068), Facebook (82,857) and Gmail (33,697), as well as 22,881 from other, unnamed providers, according to the NSA PowerPoint presentation, reported the Post. Added up, that volume of intercepted data would total more than 250 million contact lists per year.

[ How the NSA tracked your phone calls: NSA Discloses Cellphone Location Tracking Tests. ]

In addition, the document said the NSA also mines about 500,000 IM and live-chat contact lists per day, receiving some of that data from foreign telecommunications firms or intelligence agencies.

Why might the NSA want to mine not just the social connections of the world's suspected terrorists -- surely, a miniscule number -- but also millions upon millions of other people? One answer comes from a presentation delivered earlier this year by Ira Hunt, the CTO of the CIA. "Since you cannot connect dots you don't have, it drives us into a mode of fundamentally trying to collect everything and hang on to it forever," Hunt said in a presentation at a March 2013 GigaOM conference in New York, reported Computing.

At the time, Hunt also revealed that "it is nearly within our grasp to compute on all human-generated information." He added that U.S. intelligence agencies are intent on harvesting this information, including not just emails and phone calls but also Facebook posts and YouTube submissions. But these types of intelligence-gathering efforts -- including the NSA's mining of contact and buddy lists -- are not without challenges. For example, one Yahoo account being tracked by the agency was hacked by spammers, who used the account to send a deluge of emails, which obviously traced back to that account. As a result, the NSA quickly "emergency detasked" the account, rather than being flooded with massive quantities of unusable data as a result, according to the PowerPoint presentation.

Technical intricacies aside, the latest NSA revelations have triggered criticism from multiple civil rights groups, including the Center for Democracy & Technology (CDT). "Earlier disclosures made people think twice about whom they called. Now, they will have to wonder whether entering someone's contact information in their address book may also bring unwanted scrutiny," said Greg Nojeim, director of CDT's Project on Freedom, Security and Technology, in an email interview.

From a technological perspective, however, some information security experts said there's an easy fix. "[Let's] get SSL going on Web and mobile apps to end this pillage," tweeted Chris Wysopal, CTO of Veracode and a former member of L0pht.

On a related note, Yahoo is set to make SSL the default technique for accessing its website -- including emails and contact lists -- although not until Jan. 8. The SSL feature was first offered as an option earlier this year.

Google has offered SSL by default for all users since early 2010, followed by Microsoft with Outlook.com since July 2012, and Facebook in July 2013. "It's something of a mystery why it's taken Yahoo so long. Maybe they were busy spending all their time thinking up new logos, or devising reckless plans to recycle email addresses," said security researcher Graham Cluley in a blog post.

Yahoo's belated embrace of SSL has drawn plaudits -- not just from Cluley, who recommended activating the feature immediately, but also from a number of other privacy and security experts. "It's always a positive thing when companies take steps to protect their customers' information," Amie Stepanovich, director of the domestic surveillance program at privacy rights group Electronic Privacy Information Center, told the Post. "Unfortunately, this often only happens after a harmful event."

Some civil rights experts, however, warned that in light of the NSA's harvesting of contact lists, Yahoo's move to SSL still didn't go far enough to protect its users' security and privacy. "Even though Yahoo Mail is turning on HTTPS in Jan, they still intentionally leak your IP to email [recipients] (look in the headers)," tweeted Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project. By contrast, Google and Microsoft don't leak header information for their webmail users, he said.

Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/17/2013 | 10:51:40 AM
re: NSA Harvests Personal Contact Lists, Too
That's assuming they can keep it up and running without the reported electrical "meltdowns" that continue to occur. Perhaps they're gobbling one contact list too many.
Mathew
50%
50%
Mathew,
User Rank: Apprentice
10/17/2013 | 10:49:00 AM
re: NSA Harvests Personal Contact Lists, Too
I think you've hit on the next NSA "hearts & minds" campaign: "Don't worry about backups, we've got you covered!"
MarciaNWC
50%
50%
MarciaNWC,
User Rank: Apprentice
10/16/2013 | 10:07:05 PM
re: NSA Harvests Personal Contact Lists, Too
That new NSA data center in Utah is going to fill up fast at this rate of data -- and spam -- collection.
xasositects
50%
50%
xasositects,
User Rank: Apprentice
10/16/2013 | 5:04:29 PM
re: NSA Harvests Personal Contact Lists, Too
Oh good, I was worried about what I'd do in case I needed to recover my contact lists.
Thomas Claburn
50%
50%
Thomas Claburn,
User Rank: Strategist
10/16/2013 | 2:32:51 AM
re: NSA Harvests Personal Contact Lists, Too
Resistance is futile. You will be assimilated.
OtherJimDonahue
50%
50%
OtherJimDonahue,
User Rank: Apprentice
10/15/2013 | 8:34:50 PM
re: NSA Harvests Personal Contact Lists, Too
"At the time, Hunt also revealed that 'it is nearly within our grasp to compute on all human-generated information.'"

I don't even know how to react to that.
Register for Dark Reading Newsletters
White Papers
Cartoon
Current Issue
Video
Slideshows
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2013-1421
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Craig Knudsen WebCalendar before 1.2.5, 1.2.6, and other versions before 1.2.7 allows remote attackers to inject arbitrary web script or HTML via the Category Name field to category.php.

CVE-2013-2105
Published: 2014-04-22
The Show In Browser (show_in_browser) gem 0.0.3 for Ruby allows local users to inject arbitrary web script or HTML via a symlink attack on /tmp/browser.html.

CVE-2013-2187
Published: 2014-04-22
Cross-site scripting (XSS) vulnerability in Apache Archiva 1.2 through 1.2.2 and 1.3 before 1.3.8 allows remote attackers to inject arbitrary web script or HTML via unspecified parameters, related to the home page.

CVE-2013-4116
Published: 2014-04-22
lib/npm.js in Node Packaged Modules (npm) before 1.3.3 allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names that are created when unpacking archives.

CVE-2013-4472
Published: 2014-04-22
The openTempFile function in goo/gfile.cc in Xpdf and Poppler 0.24.3 and earlier, when running on a system other than Unix, allows local users to overwrite arbitrary files via a symlink attack on temporary files with predictable names.

Best of the Web