Skip Navigation

The NSA Owes Us Answers

A document recently leaked by Edward Snowden reveals that the National Security Agency is vacuuming up contact lists — address books and “buddy lists” — of people using email or instant messaging.

October 27, 2013

Cross­pos­ted on

A docu­ment recently leaked by Edward Snowden reveals that the National Secur­ity Agency is vacu­um­ing up contact lists — address books and “buddy lists” — of people using email or instant messaging. The Agency may also be getting the first few lines of people’s emails, using the same tech­no­logy. The NSA claims it is only collect­ing this inform­a­tion over­seas, and search­ing its caches only if there is a foreign intel­li­gence justi­fic­a­tion. So why worry?

Well, there are a few big things we know, and a couple we don’t. In Donald Rums­feld’s under­ap­pre­ci­ated words, these are the known knowns and the known unknowns. And they are all cause for concern. 

First, while the NSA may be focus­ing its efforts over­seas, it is getting a lot of Amer­ic­ans’ data too. How? To start with, any Amer­ican living or trav­el­ing over­seas will “look” foreign to the NSA. In addi­tion, if Amer­ic­ans corres­pond with friends over­seas by email – which is highly likely – their address can be picked up when those friends are targeted. And remem­ber, a target isn’t neces­sar­ily a terror­ist. It can be anyone talk­ing about anything of interest to the U.S. govern­ment, includ­ing a friend who works for a non-govern­mental organ­iz­a­tion or bank located outside the United States. 

Most signi­fic­antly, what stays over­seas does­n’t neces­sar­ily happen over­seas. Amer­ican commu­nic­a­tions compan­ies — think Google and Face­book — are big. They handle a lot of data. They can’t process it all in the U.S. So they have foreign serv­ers, which may handle Amer­ic­ans’ commu­nic­a­tions. Thus, even if only foreign locales are targeted, Amer­ic­ans’ contact lists are bound to be swept up as well. 

This brings us to the second thing we know: contact lists can tell the govern­ment a lot. They can include names, email addresses, phone numbers, phys­ical addresses, birth­days, names of family members, and more. At the same time, they may be decept­ive, suggest­ing connec­tions to people the owner of the list does­n’t even know or knows very little. Indeed, we all receive dozens of emails a day from people and compan­ies we don’t know and prob­ably don’t want to know. The NSA itself has had a prob­lem with spam­mers taking over targets’ email accounts and email­ing thou­sands of people whose address books are then auto­mat­ic­ally harves­ted, lead­ing to a torrent of useless inform­a­tion flood­ing the NSA’s computers. So these lists offer a double whammy: they are reveal­ing AND poten­tially mislead­ing. 

Finally, we know the govern­ment is getting a lot of inform­a­tion: over a million address lists, buddy lists, and inboxes on an aver­age day. Not all of that belongs to Amer­ic­ans, to be sure. But even a modest percent­age of a lot can be a lot. And accord­ing to the NSA’s own docu­ments, one of the main effects of this data has been to over­whelm the agency’s rather impress­ive systems. This is the agency that built a data­base that held 41 billion commu­nic­a­tions records in a single month. So if it says it’s getting too much, you can take that to the bank. 

This brings us to two import­ant things we don’t know. First, what successes, if any, has this sweep­ing program had that could­n’t be accom­plished with more targeted collec­tion? There is good reason to demand a frank answer. The director of the NSA has grudgingly confirmed to Congress that the phone metadata data­base has made few if any unique contri­bu­tions to the nation’s safety. That’s why a bipar­tisan group of senat­ors, many with access to clas­si­fied inform­a­tion, has proposed shut­ter­ing the entire program. A couple of years ago, a similar program for email metadata was finally shut down under pres­sure from two of those same lawmakers, Sens. Wyden and Udall, when the NSA could­n’t prove its effect­ive­ness. Given this track record, we must learn more about the address list program. 

Our second known unknown is how long the govern­ment is keep­ing the contact lists of inno­cent Amer­ic­ans, their friends, and their friends’ friends. The govern­ment has said there are minim­iz­a­tion proced­ures govern­ing this data, but it has kept mum on what those are. If they are anything like the proced­ures govern­ing the NSA’s hand­ling of the content of Amer­ic­ans’ emails and phone calls, they’re pretty gener­ous. Those proced­ures, which address the acci­dental collec­tion of Amer­ic­ans’ commu­nic­a­tions, allow the NSA to keep Amer­ic­ans’ emails and calls for up to six years from the start of surveil­lance – longer if they contain foreign intel­li­gence or evid­ence of a crime. The NSA may not keep the contact lists for so long, simply because they take up so much space. But Amer­ic­ans deserve to know exactly how the govern­ment is hand­ling their private inform­a­tion.  

No doubt, we will learn about some other NSA collec­tion program soon. But this is the latest picture. The known knowns should give us pause. At the same time, there is a lot we don’t know yet. The public deserves to get answers that will allow an honest assess­ment of both the value of the NSA’s program and its impact on our liber­ties. If recent history is any guide, the more inform­a­tion comes out, the harder the program will be to defend.

(Photo: Flickr/swudc)