http://www.washingtonpost.com/world/national-security/nsa-collects-millions-of-e-mail-address-books-globally/2013/10/14/8e58b5be-34f9-11e3-80c6-7e6dd8d22d8f_print.html
The collection program, which has not been disclosed before, intercepts e-mail address books and “buddy lists” from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers.
Rather than targeting individual users, the NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world’s e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and map relationships within a much smaller universe of foreign intelligence targets.
During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million a year.
Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the in-box displays of Web-based e-mail accounts.
The collection depends on secret arrangements with foreign telecommunications companies or allied intelligence services in control of facilities that direct traffic along the Internet’s main data routes.
Although the collection takes place overseas, two senior U.S. intelligence officials acknowledged that it sweeps in the contacts of many Americans. They declined to offer an estimate but did not dispute that the number is likely to be in the millions or tens of millions.
A spokesman for the Office of the Director of National Intelligence, which oversees the NSA, said the agency “is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers. We are not interested in personal information about ordinary Americans.”
The spokesman, Shawn Turner, added that rules approved by the attorney general require the NSA to “minimize the acquisition, use, and dissemination” of information that identifies a U.S. citizen or permanent resident.
The NSA’s collection of nearly all U.S. call records, under a separate program, has generated significant controversy since it was revealed in June. The NSA’s director, Gen. Keith B. Alexander,has defended “bulk” collection as an essential counterterrorism and foreign intelligence tool, saying “you need the haystack to find the needle.”
Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. In-box listings of e-mail accounts stored in the “cloud” sometimes contain content such as the first few lines of a message.
Taken together, the data would enable the NSA, if permitted, to draw detailed maps of a person’s life, as told by personal, professional, political and religious connections. The picture can also be misleading, creating false “associations” with ex-spouses or people with whom an account holder has had no contact in many years.
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss a classified program. “None of those are on U.S. territory.”
Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said.
When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”
In practice, data from Americans is collected in large volumes — in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.
A senior U.S. intelligence official said that the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”
NSA analysts, he said, may not search or distribute information from the contacts database unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”
In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.
By contrast, the NSA draws on authority in the Patriot Act for its bulk collection of domestic phone records, and it gathers online records from U.S. Internet companies, in a program known as PRISM, under powers granted by Congress in the FISA Amendments Act. Those operations are overseen by the Foreign Intelligence Surveillance Court.
Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. She said she planned to ask for more briefings on those programs.
“In general, the committee is far less aware of operations conducted under 12333,” said a senior committee staff member, referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. “I believe the NSA would answer questions if we asked them, and if we knew to ask them, but it would not routinely report these things, and, in general, they would not fall within the focus of the committee.”
Because the agency captures contact lists “on the fly” as they cross major Internet switches, rather than “at rest” on computer servers, the NSA has no need to notify the U.S. companies that host the information or to ask for help from them.
“We have neither knowledge of nor participation in this mass collection of webmail addresses or chat lists by the government,” said Google spokesman Niki Fenwick.
At Microsoft, spokesman Nicole Miller said the company “does not provide any government with direct or unfettered access to our customers’ data,” adding that “we would have significant concerns if these allegations about government actions are true.”
Facebook spokesman Jodi Seth said “we did not know and did not assist” in the NSA’s interception of contact lists.
It is unclear why the NSA collects more than twice as many address books from Yahoo than the other big services combined. One possibility is that Yahoo, unlike other service providers, has left connections to its users unencrypted by default.
Suzanne Philion, a Yahoo spokesman, said Monday in response to an inquiry from The Washington Post that, beginning in January, Yahoo would begin encrypting all its e-mail connections.
Google was the first to secure all its e-mail connections, turning on “SSL encryption” globally in 2010. People with inside knowledge said the move was intended in part to thwart large-scale collection of its users’ information by the NSA and other intelligence agencies.
The volume of NSA contacts collection is so high that it has occasionally threatened to overwhelm storage repositories, forcing the agency to halt its intake with “emergency detasking” orders. Three NSA documents describe short-term efforts to build an “across-the-board technology throttle for truly heinous data” and longer-term efforts to filter out information that the NSA does not need.
Spam has proven to be a significant problem for the NSA — clogging databases with information that holds no foreign intelligence value. The majority of all e-mails, one NSA document says, “are SPAM from ‘fake’ addresses and never ‘delivered’ to targets.”
In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.”
The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf.
After nine days of data-bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.”
In a briefing from the NSA’s Large Access Exploitation working group, that example was used to illustrate the need to narrow the criteria for data interception. It called for a “shifting collection philosophy”: “Memorialize what you need” vs. “Order one of everything off the menu and eat what you want.”
http://rt.com/news/governments-businesses-evading-nsa-196/
and..
NSA collects millions of e-mail address books globally
By Barton Gellman and Ashkan Soltani,
The National Security Agency is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans, according to senior intelligence officials and top secret documents provided by former NSA contractor Edward Snowden.The collection program, which has not been disclosed before, intercepts e-mail address books and “buddy lists” from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers.
Rather than targeting individual users, the NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world’s e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and map relationships within a much smaller universe of foreign intelligence targets.
During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million a year.
Each day, the presentation said, the NSA collects contacts from an estimated 500,000 buddy lists on live-chat services as well as from the in-box displays of Web-based e-mail accounts.
The collection depends on secret arrangements with foreign telecommunications companies or allied intelligence services in control of facilities that direct traffic along the Internet’s main data routes.
Although the collection takes place overseas, two senior U.S. intelligence officials acknowledged that it sweeps in the contacts of many Americans. They declined to offer an estimate but did not dispute that the number is likely to be in the millions or tens of millions.
A spokesman for the Office of the Director of National Intelligence, which oversees the NSA, said the agency “is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers. We are not interested in personal information about ordinary Americans.”
The spokesman, Shawn Turner, added that rules approved by the attorney general require the NSA to “minimize the acquisition, use, and dissemination” of information that identifies a U.S. citizen or permanent resident.
The NSA’s collection of nearly all U.S. call records, under a separate program, has generated significant controversy since it was revealed in June. The NSA’s director, Gen. Keith B. Alexander,has defended “bulk” collection as an essential counterterrorism and foreign intelligence tool, saying “you need the haystack to find the needle.”
Contact lists stored online provide the NSA with far richer sources of data than call records alone. Address books commonly include not only names and e-mail addresses, but also telephone numbers, street addresses, and business and family information. In-box listings of e-mail accounts stored in the “cloud” sometimes contain content such as the first few lines of a message.
Taken together, the data would enable the NSA, if permitted, to draw detailed maps of a person’s life, as told by personal, professional, political and religious connections. The picture can also be misleading, creating false “associations” with ex-spouses or people with whom an account holder has had no contact in many years.
The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss a classified program. “None of those are on U.S. territory.”
Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said.
When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”
In practice, data from Americans is collected in large volumes — in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.
A senior U.S. intelligence official said that the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”
NSA analysts, he said, may not search or distribute information from the contacts database unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”
In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.
By contrast, the NSA draws on authority in the Patriot Act for its bulk collection of domestic phone records, and it gathers online records from U.S. Internet companies, in a program known as PRISM, under powers granted by Congress in the FISA Amendments Act. Those operations are overseen by the Foreign Intelligence Surveillance Court.
Sen. Dianne Feinstein, the California Democrat who chairs the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence gathering that relies solely on presidential authority. She said she planned to ask for more briefings on those programs.
“In general, the committee is far less aware of operations conducted under 12333,” said a senior committee staff member, referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. “I believe the NSA would answer questions if we asked them, and if we knew to ask them, but it would not routinely report these things, and, in general, they would not fall within the focus of the committee.”
Because the agency captures contact lists “on the fly” as they cross major Internet switches, rather than “at rest” on computer servers, the NSA has no need to notify the U.S. companies that host the information or to ask for help from them.
“We have neither knowledge of nor participation in this mass collection of webmail addresses or chat lists by the government,” said Google spokesman Niki Fenwick.
At Microsoft, spokesman Nicole Miller said the company “does not provide any government with direct or unfettered access to our customers’ data,” adding that “we would have significant concerns if these allegations about government actions are true.”
Facebook spokesman Jodi Seth said “we did not know and did not assist” in the NSA’s interception of contact lists.
It is unclear why the NSA collects more than twice as many address books from Yahoo than the other big services combined. One possibility is that Yahoo, unlike other service providers, has left connections to its users unencrypted by default.
Suzanne Philion, a Yahoo spokesman, said Monday in response to an inquiry from The Washington Post that, beginning in January, Yahoo would begin encrypting all its e-mail connections.
Google was the first to secure all its e-mail connections, turning on “SSL encryption” globally in 2010. People with inside knowledge said the move was intended in part to thwart large-scale collection of its users’ information by the NSA and other intelligence agencies.
The volume of NSA contacts collection is so high that it has occasionally threatened to overwhelm storage repositories, forcing the agency to halt its intake with “emergency detasking” orders. Three NSA documents describe short-term efforts to build an “across-the-board technology throttle for truly heinous data” and longer-term efforts to filter out information that the NSA does not need.
Spam has proven to be a significant problem for the NSA — clogging databases with information that holds no foreign intelligence value. The majority of all e-mails, one NSA document says, “are SPAM from ‘fake’ addresses and never ‘delivered’ to targets.”
In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.”
The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf.
After nine days of data-bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.”
In a briefing from the NSA’s Large Access Exploitation working group, that example was used to illustrate the need to narrow the criteria for data interception. It called for a “shifting collection philosophy”: “Memorialize what you need” vs. “Order one of everything off the menu and eat what you want.”
http://rt.com/news/governments-businesses-evading-nsa-196/
Private telecom providers, businesses and governments are increasingly compelled to move or reinforce web operations following disclosures of the NSA’s mass internet surveillance programs made by whistleblower Edward Snowden.
Brazil is set to vote on the creation of a cyber-security system to thwart National Security Agency espionage of Brazilian government systems. US surveillance led by the NSA had infiltrated the highest levels of Brazil’s administration.
The largest telecom provider in Germany, the formerly-state-run Deutsche Telekom, is seeking to keep their service in-country, out of the reach of foreign spying.
But much smaller internet companies are also feeling the need, based on customer demand and common sense, to move their servers out of the reach of the NSA and the United States’ partners in global surveillance, Australia, Canada, New Zealand and the UK - the “Five Eyes.”
Encrypted-communications provider Unseen, for instance, has recently moved its servers and bank accounts from the US to Iceland, based on the NSA’s vast reach and the Nordic country’s commitment to privacy rights.
“Our customers demanded it. They wanted us to move to a place where they felt their data was safe,”Unseen founder Chris Kitze told RT.
He said the move wasn’t based on a marketing gimmick but because “everybody wants privacy for their data.”
“We’re actually getting calls from friends of mine who run businesses that store data for large multinational companies. Consumers are demanding this. This is what’s driving us,” Kitze said.
Kitze described Iceland as dedicated to protecting the rights of its citizens, saying he believes his company’s servers can be safe there despite the NSA’s global capabilities.
“It’s just a very good moral climate,” he said of Iceland, though he said strong safety must always involve end-to-end encryption no matter where servers are.
He said the NSA’s brazenness and the broader rhetoric of security used by the US to justify mass surveillance should not deter companies like his in providing safe havens.
“Instead of targeting people who they know or suspect of being terrorists or causing bad things, they’re expecting everyone to be a terrorist, and that of course is not true,” he said of the NSA.
Moving to Russia: Setting a new trend?
Snowden’s leaks showed that neither .com, nor European Internet domains can be trusted if you want your data to be private and safe, the president of Malaysia-based finance advisory firm Najadi & Partners, Pascal Najadi, told RT.
Najadi has decided to move his company servers into the .ru domain.
“Once reality conquers over illusion, it’s time to wake up,” Najadi told RT’s Aleksey Yaroshevsky.
Najadi said that the decision to have his company’s servers moved to Moscow was driven by “logic” and“common sense,” with no direct business interest. Once Snowden’s files revealed the scale of the American and allied agencies’ data snooping, the company “decided to act accordingly.”
In Russia, one’s data is protected by law, Najadi believes. Moreover, Russia is “a protector of peace,” he said, adding that Russian President Vladimir Putin “just saved the world from a serious, serious war,”referring to the diplomatic developments around the Syrian crisis.
Najadi then pointed out there is an “enormous” interest in his decision from global partners and media, adding he is “sure there will be a follow-up.”
“We’re setting a trend. We’re not into Internet business – we’re a consultancy firm, and we do not gain more business through having a .ru. Having said that, it shows our clients that we take confidentiality serious, and that is the message between the lines,” Najadi explained.
While Najadi, as a head of a multibillion dollar family business, may be pioneering such step, foreign companies, including major international brands, have been steadily showing interest in having their sites registered in .ru domain, RT’s Yaroshevsky learned at RU-CENTER.
Sergey Gorbunov, deputy director for International Relations at RU-CENTER, told RT that “foreign intelligence agencies of course have less opportunities to control the equipment that is placed in Russia.”
Up to 26 percent of domains registered in .ru are owned by foreign companies, with the same companies occupying 20 percent of the alternative .su domain.
and..
No comments:
Post a Comment