(Source: AFP)
NSA says it's acting legally in seizing IM contacts lists, email address books, and even some email text

A new piece in The Washington Post reveals that the U.S. National Security Agency (NSA) seized the email and IM contacts lists of 700,000+ accounts daily in 2012, including Americans who paid for this surveillance.  Legally the NSA is explicitly verboten from spying against Americans, an activity which is supposedly antithetical to its nationalist mission statement.  But by creatively redefining its own rules, the NSA does not consider what it is doing illegal.

I. "The Assumption [on Foreign Networks] is You're Not an American"

The NSA is supposed to only spy on foreign citizens.

Hence the issue begins with the issue of who is an American.  If a person is an American, it is explicitly illegal to monitor them within the U.S., as that's forbidden under the laws that govern the NSA.  However, if you're an American overseas you enter a grey area of the law.  Technically it still seems against the spirit of the agency and similar to the explicitly forbidden spying within the U.S.; but overseas spying on American citizens isn't explicitly forbidden either.

The NSA has already made it clear that "accidentally" breaking the law thousands of times a year, by illegally spying on Americans who it has the data to know are within the U.S.

Now these fresh disclosures show what could be a mere tip of the iceberg.

Autonomy poster
Replace "80%" with "99%" and this graphic starts to describe the NSA's efforts to illegal spy on Americans. [Image Source: Autonomy]

Ideally, if Congress hasn't granted the power in such grey areas -- but also hasn't explicitly forbidden it -- the agency is left to weigh how critical such an effort is, versus potential ethical and Constitutional issues.

When it comes to overseas surveillance, the NSA is playing a clever game, conveniently saying that it can seizing much more data from Americans by simply claiming that it assumes you're a foreigner.

The Washington Post says that an official acknowledges that the NSA maintains a variety of overseas digital collection points, and asserts that if your data is intercepted there that "the assumption is you're not a U.S. person.”

II. Technically Flawed Argument Boosts Illegal Objectives

At this point you might think "okay, well that only applies to international travellers, and I mostly stay in the country, so my data is safe."

But there you would be wrong.  You see, the NSA not only applies it's guesswork logic to instances where a person is physically in a foreign country and utilizing digital infrastructure there (say a cell phone tower), they also apply it even if you're in the U.S. and merely communicating with foreign servers.

The NSA assumes if your data passes through foreign servers, that you're a foreigner and it can feast on it. [Image Source: KnowYourMeme]

The NSA is essentially claiming that Congress does tell it to collect data in this way, as it assumes any data in a foreign country is from foreigners.  The central premise here is that for the most part no foreign data exists on a nation's domestic network.

Many companies like Google Inc. (GOOG) mirror your domestic data on their secure global servers in order to provide consistent service.  In other words, you may be in a U.S. and you may be using a widely used U.S. service, but because of how that service is implemented, the NSA in its warped logic assumes you're not a citizen.

Yahoo! proved the most vulnerable to spying, due to its large user base and historic lack of SSL encryption. [Image Source: Inquirer]

If the NSA can make the case that by mining a nation's networks it is monitoring "a valid foreign intelligence target in and of itself", it considers that enough to start interception.  Of the 700,000+ email contacts lists grabbed last year, Yahoo! Inc. (YHOO) accounted for the biggest share (444,743), with Facebook, Inc. (FB) (82,857), and Google's Gmail (33,697) somewhat farther back.

In addition to email contacts lists, for web clients like Gmail and Yahoo! Mail it can also collect the first few lines of email in some case, along with the email header which includes who sent and received the message.  And it collects 500,000+ IM contact lists, on average per day.

In total the documents indicate the NSA collects hundreds of millions of email contacts list, inbox scrapes, and IM lists.  This makes it highly probably that the NSA uses its "not an American" assumption to seize the personal information of a large percentage of Americans, particularly when you consider that some of the most popular services in regions like China and Europe aren't even mentioned in the report.

In fact, in a perhaps telling sign, the NSA's seizures primarily have targeted not foreigners, but the services that are most popular domestically (e.g. Gmail, Yahoo!).

III. NSA Accidentally Spams Itself

For beleaguered U.S. citizens, there may be silver lining to this part of the NSA's cloud spying scheme; spam email -- normally an annoyance-- may actually be welcome countermeasure against the NSA reading through your emails.  

Because the NSA grabs the such a significant chunk of text from Americans' and foreigners' unencrypted emails records the NSA is being smacked with storage shortfalls, as it can keep up with all the spam email that it's accidentally seized.  The volume of spam has forced the NSA to reportedly institute "emergency detasking" orders, where it wipes some of its data stockpile to allow more new data to come in.

The NSA has been accidentally seizing your spam. [Image Source: MSNBC]

Yahoo's higher interception rate is speculated to be possibly due to its late implementation of SSL, an encryption mechanism that makes it harder for the NSA to break into your email.  The NSA and criminals who engage in online theft bear certain similarities; for starters they both hate encryption.  The NSA has spent $250M USD reportedly in U.S. taxpayer money to try to weaken international encryption, which leaves you more vulnerable to identity theft and other forms of hacking, but makes it easier to spy on you.

The Gmail address books are particularly interesting as it's been widely publicized that Google mirrors your data, while it's less clear whether Yahoo! and Facebook are engaging in such activities.

Notably the NSA does not have to notify companies like Yahoo!, Facebook, or Google that it's seizing their data, nor does it have to get a warrant, court order, or other official legal mechanism, aside from its blanket self-authorization.  By seizing the data at a lower level (likely at regional data routing hubs) the NSA can feast on a buffet of data without ever having to pay a notice to the companies whose users are being targeted.

fiber optics
The NSA directly scrapes data off cable hubs. [Image Source: AP]

This obviously makes data seizure much easier, as companies are unable to fight against what they don't know.  Many companies like Google have successfully fought similar seizure attempts on Americans' data in either secret or public courts.

The NSA cleverly realized that citizens and companies can't fight being spied upon if they don't know about it.  Unfortunately for it, they now know about it. [Image Source: NYPost]

As with past leaks, this leak came courtesy of Edward Snowden, the former NSA contractor who now faces criminal charges for revealing to Americans the extent they're being spied upon.  Despite these charges, Mr. Snowden has garnered a great deal of support, even winning an award from former CIA operatives.

His latest publication follows information published earlier this month, which revealed that the NSA was building databases to track the real world identities of Americans' friends along with their locations, this specialist system was estimated in internal documents to seize 20 billion metadata records a day, giving the NSA the power to know who your wife, girlfriend, mistress, etc. are.

Sources: The Washington Post, NSA via Intellipedia/The Washington Post

"DailyTech is the best kept secret on the Internet." -- Larry Barber

Copyright 2017 DailyTech LLC. - RSS Feed | Advertise | About Us | Ethics | FAQ | Terms, Conditions & Privacy Information | Kristopher Kubicki