NSA Harvests Personal Contact Lists, Too

Surveillance agency's bid to connect the dots leads to its annually harvesting 250 million global webmail and IM account contact and buddy lists.

Mathew J. Schwartz, Contributor

October 15, 2013

4 Min Read

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy

9 Android Apps To Improve Security, Privacy (click image for larger view)

The National Security Agency's massive digital dragnet extends even to intercepted contact lists, culled in part from people's online email address books and instant messaging (IM) "buddy lists." In fact, the agency amasses an estimated 250 million contact lists per year from around the world, collecting a volume of data that at times has strained the agency's technological capabilities.

That information comes via a Content Acquisition Optimization PowerPoint presentation, first published Monday by The Washington Post, that revealed the agency's apparently insatiable appetite for people's personal contact lists. The document is just the latest release from the trove of confidential NSA documents leaked by former agency contractor Edward Snowden.

Where does the agency find all of its intercepted contact information? In just one day -- described as typical -- the NSA's Special Source Operations branch tally of intercepted contact information included address books from Yahoo (444,743), Hotmail (105,068), Facebook (82,857) and Gmail (33,697), as well as 22,881 from other, unnamed providers, according to the NSA PowerPoint presentation, reported the Post. Added up, that volume of intercepted data would total more than 250 million contact lists per year.

[ How the NSA tracked your phone calls: NSA Discloses Cellphone Location Tracking Tests. ]

In addition, the document said the NSA also mines about 500,000 IM and live-chat contact lists per day, receiving some of that data from foreign telecommunications firms or intelligence agencies.

Why might the NSA want to mine not just the social connections of the world's suspected terrorists -- surely, a miniscule number -- but also millions upon millions of other people? One answer comes from a presentation delivered earlier this year by Ira Hunt, the CTO of the CIA. "Since you cannot connect dots you don't have, it drives us into a mode of fundamentally trying to collect everything and hang on to it forever," Hunt said in a presentation at a March 2013 GigaOM conference in New York, reported Computing.

At the time, Hunt also revealed that "it is nearly within our grasp to compute on all human-generated information." He added that U.S. intelligence agencies are intent on harvesting this information, including not just emails and phone calls but also Facebook posts and YouTube submissions. But these types of intelligence-gathering efforts -- including the NSA's mining of contact and buddy lists -- are not without challenges. For example, one Yahoo account being tracked by the agency was hacked by spammers, who used the account to send a deluge of emails, which obviously traced back to that account. As a result, the NSA quickly "emergency detasked" the account, rather than being flooded with massive quantities of unusable data as a result, according to the PowerPoint presentation.

Technical intricacies aside, the latest NSA revelations have triggered criticism from multiple civil rights groups, including the Center for Democracy & Technology (CDT). "Earlier disclosures made people think twice about whom they called. Now, they will have to wonder whether entering someone's contact information in their address book may also bring unwanted scrutiny," said Greg Nojeim, director of CDT's Project on Freedom, Security and Technology, in an email interview.

From a technological perspective, however, some information security experts said there's an easy fix. "[Let's] get SSL going on Web and mobile apps to end this pillage," tweeted Chris Wysopal, CTO of Veracode and a former member of L0pht.

On a related note, Yahoo is set to make SSL the default technique for accessing its website -- including emails and contact lists -- although not until Jan. 8. The SSL feature was first offered as an option earlier this year.

Google has offered SSL by default for all users since early 2010, followed by Microsoft with Outlook.com since July 2012, and Facebook in July 2013. "It's something of a mystery why it's taken Yahoo so long. Maybe they were busy spending all their time thinking up new logos, or devising reckless plans to recycle email addresses," said security researcher Graham Cluley in a blog post.

Yahoo's belated embrace of SSL has drawn plaudits -- not just from Cluley, who recommended activating the feature immediately, but also from a number of other privacy and security experts. "It's always a positive thing when companies take steps to protect their customers' information," Amie Stepanovich, director of the domestic surveillance program at privacy rights group Electronic Privacy Information Center, told the Post. "Unfortunately, this often only happens after a harmful event."

Some civil rights experts, however, warned that in light of the NSA's harvesting of contact lists, Yahoo's move to SSL still didn't go far enough to protect its users' security and privacy. "Even though Yahoo Mail is turning on HTTPS in Jan, they still intentionally leak your IP to email [recipients] (look in the headers)," tweeted Christopher Soghoian, principal technologist and senior policy analyst for the ACLU's Speech, Privacy and Technology Project. By contrast, Google and Microsoft don't leak header information for their webmail users, he said.

About the Author(s)

Mathew J. Schwartz


Mathew Schwartz served as the InformationWeek information security reporter from 2010 until mid-2014.

Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox.

You May Also Like

More Insights