The Washington PostDemocracy Dies in Darkness

Here’s everything you should know about NSA address book spying in one FAQ

(Photo by <a href="">The Young Ryan G</a> )

A new report from The Washington Post, based on documents provided by whistleblower Edward Snowden, reveals that the National Security Agency is collecting hundreds of millions of address books around the world, including many belonging to Americans. How are they doing it? And what does it mean? Read on for details.

What information is the NSA collecting?

The NSA is collecting “contact lists.” These are the online address books that allow users of Gmail, Yahoo mail, Hotmail, Facebook, and other online services to keep track of their friends, family, and business associates.

Address books contain the email addresses of people that users are in contact with via email or chat. In some services, including Google Contacts and Facebook, they can also include full names, addresses, and phone numbers.  Many smartphones and computers allow you to 'sync' your contacts to services such as Google and Facebook.

Leading web-based email services generate contact lists automatically as the result of sending (and sometimes receiving) emails. These lists allow users to compose emails more quickly via an “auto-complete” feature. Google received flak in 2010 for publishing users’ email contact lists publicly during the rollout of Google Buzz.

A document supplied to The Washington Post by Edward Snowden indicates that in one representative day, the NSA collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail, and 22,881 from other providers.

How are they collecting it?

The NSA is engaged in bulk collection at key internet access points controlled by foreign telecommunications companies and allied intelligence services. Slides show that the information is being collected from at least 18 collection points known as “SIGADs” or Signals Intelligence Activity Designators.

The documents and intelligence officials say all the collection of contact information takes place outside U.S. territory. But the distributed nature of modern web infrastructure means that communications between an American user and a U.S. webmail provider (such as Google) could still flow outside the United States, where there are fewer legal restrictions on NSA surveillance. The contact lists of Americans also cross the NSA’s international collection points when they live or travel overseas.

Wait, isn’t that information encrypted?

Sometimes, but not always. Webmail providers have slowly rolled out HTTPS encryption (that lock icon in your browser) but the feature is relatively new for everyone except Google (see timeline). And Yahoo still doesn’t encrypt its webmail service by default—though after we confronted Yahoo on its vulnerability to NSA snooping, the company told the Washington Post today that it would begin offering SSL by default in January 2014.

Even when SSL is available for webmail, other software may transmit the information without encryption. For example, when the Address Book application on Apple computers syncs with Google Contacts, the information is transmitted “in the clear,” making it vulnerable to third-party snooping.  This is often the case with legacy devices and non-webmail clients.

What does the NSA do with this information?

Address books help the NSA to map ‘the social graph’ and identify associations between individuals. Unlike call records, such as the bulk 215 collection reported by the Guardian, address book information can reveal latent associations between individuals that may not be currently active. Intelligence officials say they are not permitted to mine the address books with “contact chaining” tools without a specific foreign intelligence purpose, but the rules have not been published and officials declined to elaborate.

We can get some idea of what those rules look like by examining the rules that govern the collection of information under the PRISM program. These rules do not apply directly to data collected overseas, but they spell out procedures for targeting foreigners and minimizing the collection of data from Americans that are likely similar to those that govern the NSA’s use of address book information.

Those rules indicate that an American can attract special scrutiny merely by being listed in a foreign target’s contact list. If your contact information is “included in the ‘buddy list’ or address book” that U.S. intelligence officials believes belongs to “an individual associated with a foreign power or foreign territory," that can be enough to attract special scrutiny.

Is this legal?

The NSA declined to discuss the legal boundaries of this program in detail. If it collected contact lists in bulk from switches located inside the United States, the operation would almost certainly violate the Foreign Intelligence Surveillance Act. But that law, passed in 1978 and amended in 2008 and 2012, only restricts surveillance that targets Americans or takes place on American soil. Even though the program likely sweeps in contact lists of millions of Americans, the NSA would argue that they are "incidentally" collected, not "targeted."

Correction: This post originally stated that Google Buzz was launched in 2012. It was launched in 2010. We regret the error.

Ashkan Soltani is an independent researcher and consultant focused on privacy, security, and behavioral economics.