01:07 PM
Connect Directly

NSA Harvests Personal Contact Lists, Too

Surveillance agency's bid to connect the dots leads to its annually harvesting 250 million global webmail and IM account contact and buddy lists.

9 Android Apps To Improve Security, Privacy
9 Android Apps To Improve Security, Privacy
(click image for larger view)
The National Security Agency's massive digital dragnet extends even to intercepted contact lists, culled in part from people's online email address books and instant messaging (IM) "buddy lists." In fact, the agency amasses an estimated 250 million contact lists per year from around the world, collecting a volume of data that at times has strained the agency's technological capabilities.

That information comes via a Content Acquisition Optimization PowerPoint presentation, first published Monday by The Washington Post, that revealed the agency's apparently insatiable appetite for people's personal contact lists. The document is just the latest release from the trove of confidential NSA documents leaked by former agency contractor Edward Snowden.

Where does the agency find all of its intercepted contact information? In just one day -- described as typical -- the NSA's Special Source Operations branch tally of intercepted contact information included address books from Yahoo (444,743), Hotmail (105,068), Facebook (82,857) and Gmail (33,697), as well as 22,881 from other, unnamed providers, according to the NSA PowerPoint presentation, reported the Post. Added up, that volume of intercepted data would total more than 250 million contact lists per year.

[ How the NSA tracked your phone calls: NSA Discloses Cellphone Location Tracking Tests. ]

In addition, the document said the NSA also mines about 500,000 IM and live-chat contact lists per day, receiving some of that data from foreign telecommunications firms or intelligence agencies.

Why might the NSA want to mine not just the social connections of the world's suspected terrorists -- surely, a miniscule number -- but also millions upon millions of other people? One answer comes from a presentation delivered earlier this year by Ira Hunt, the CTO of the CIA. "Since you cannot connect dots you don't have, it drives us into a mode of fundamentally trying to collect everything and hang on to it forever," Hunt said in a presentation at a March 2013 GigaOM conference in New York, reported Computing.

At the time, Hunt also revealed that "it is nearly within our grasp to compute on all human-generated information." He added that U.S. intelligence agencies are intent on harvesting this information, including not just emails and phone calls but also Facebook posts and YouTube submissions. But these types of intelligence-gathering efforts -- including the NSA's mining of contact and buddy lists -- are not without challenges. For example, one Yahoo account being tracked by the agency was hacked by spammers, who used the account to send a deluge of emails, which obviously traced back to that account. As a result, the NSA quickly "emergency detasked" the account, rather than being flooded with massive quantities of unusable data as a result, according to the PowerPoint presentation.

Technical intricacies aside, the latest NSA revelations have triggered criticism from multiple civil rights groups, including the Center for Democracy & Technology (CDT). "Earlier disclosures made people think twice about whom they called. Now, they will have to wonder whether entering someone's contact information in their address book may also bring unwanted scrutiny," said Greg Nojeim, director of CDT's Project on Freedom, Security and Technology, in an email interview.

From a technological perspective, however, some information security experts said there's an easy fix. "[Let's] get SSL going on Web and mobile apps to end this pillage," tweeted Chris Wysopal, CTO of Veracode and a former member of L0pht.

On a related note, Yahoo is set to make SSL the default technique for accessing its website -- including emails and contact lists -- although not until Jan. 8. The SSL feature was first offered as an option earlier this year.

Google has offered SSL by default for all users since early 2010, followed by Microsoft with Outlook.com since July 2012, and Facebook in July 2013. "It's something of a mystery why it's taken Yahoo so long. Maybe they were busy spending all their time thinking up new logos, or devising reckless plans to recycle email addresses," said security researcher Graham Cluley in a blog post.

Yahoo's belated embrace of SSL has drawn plaudits -- not just from Cluley, who recommended activating the feature immediately, but also from a number of other privacy and security experts. "It's always a positive thing when companies take steps to protect their customers' information," Amie Stepanovich, director of the domestic surveillance program at privacy rights group Electronic Privacy Information Center, told the Post. "Unfortunately, this often only happens after a harmful event."

Some civil rights experts, however, warned that in light of the NSA's harvesting of contact lists, Yahoo's move to SSL still didn't go far enough to protect its users' security and privacy. "Even though Yahoo Mail is turning on HTTPS in Jan, they still intentionally leak your IP to email [recipients] (look in the headers)," tweeted Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project. By contrast, Google and Microsoft don't leak header information for their webmail users, he said.

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
10/17/2013 | 10:51:40 AM
re: NSA Harvests Personal Contact Lists, Too
That's assuming they can keep it up and running without the reported electrical "meltdowns" that continue to occur. Perhaps they're gobbling one contact list too many.
User Rank: Apprentice
10/17/2013 | 10:49:00 AM
re: NSA Harvests Personal Contact Lists, Too
I think you've hit on the next NSA "hearts & minds" campaign: "Don't worry about backups, we've got you covered!"
User Rank: Apprentice
10/16/2013 | 10:07:05 PM
re: NSA Harvests Personal Contact Lists, Too
That new NSA data center in Utah is going to fill up fast at this rate of data -- and spam -- collection.
User Rank: Apprentice
10/16/2013 | 5:04:29 PM
re: NSA Harvests Personal Contact Lists, Too
Oh good, I was worried about what I'd do in case I needed to recover my contact lists.
Thomas Claburn
Thomas Claburn,
User Rank: Moderator
10/16/2013 | 2:32:51 AM
re: NSA Harvests Personal Contact Lists, Too
Resistance is futile. You will be assimilated.
User Rank: Apprentice
10/15/2013 | 8:34:50 PM
re: NSA Harvests Personal Contact Lists, Too
"At the time, Hunt also revealed that 'it is nearly within our grasp to compute on all human-generated information.'"

I don't even know how to react to that.
Register for Dark Reading Newsletters
Partner Perspectives
What's This?
In a digital world inundated with advanced security threats, Intel Security seeks to transform how we live and work to keep our information secure. Through hardware and software development, Intel Security delivers robust solutions that integrate security into every layer of every digital device. In combining the security expertise of McAfee with the innovation, performance, and trust of Intel, this vision becomes a reality.

As we rely on technology to enhance our everyday and business life, we must too consider the security of the intellectual property and confidential data that is housed on these devices. As we increase the number of devices we use, we increase the number of gateways and opportunity for security threats. Intel Security takes the “security connected” approach to ensure that every device is secure, and that all security solutions are seamlessly integrated.
Featured Writers
White Papers
Current Issue
Dark Reading's October Tech Digest
Fast data analysis can stymie attacks and strengthen enterprise security. Does your team have the data smarts?
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
Published: 2014-10-30
Unspecified vulnerability in the kernel in HP HP-UX B.11.31 allows local users to cause a denial of service via unknown vectors.

Published: 2014-10-29
The Internet Service Monitor (ISM) agent in IBM Tivoli Composite Application Manager (ITCAM) for Transactions 7.1 and 7.2 before IF28, 7.3 before IF30, and 7.4 before IF18 does not verify X.509 certificates from SSL servers, which allows man-in-the-middle attackers to spoof s...

Published: 2014-10-29
Buffer overflow in the date_from_ISO8601 function in the mkgmtime implementation in libxmlrpc/xmlrpc.c in the XMLRPC extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) via (1) a crafted first argument t...

Published: 2014-10-29
Integer overflow in the object_custom function in ext/standard/var_unserializer.c in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 allows remote attackers to cause a denial of service (application crash) or possibly execute arbitrary code via an argument to the unserialize function ...

Published: 2014-10-29
The exif_ifd_make_value function in exif.c in the EXIF extension in PHP before 5.4.34, 5.5.x before 5.5.18, and 5.6.x before 5.6.2 operates on floating-point arrays incorrectly, which allows remote attackers to cause a denial of service (heap memory corruption and application crash) or possibly exec...

Best of the Web
Dark Reading Radio
Archived Dark Reading Radio
Follow Dark Reading editors into the field as they talk with noted experts from the security world.