Does the NSA know who 'friended' you on social media?

The latest leak about the NSA alleges that the US government uses foreign technology companies to collect hundreds of millions of digital contacts worldwide, including those of Americans.

– A daily summary of global reports on security issues.

The US government is using foreign technology companies and intelligence agencies to collect hundreds of millions of address books and friend lists around the world, including those of millions of Americans, in an end run around US privacy laws, according to a Washington Post report.

The Post article, published Monday and based on documents leaked by former National Security Agency contractor Edward Snowden, says the NSA uses a collection program to intercept contact lists from email and instant messaging services – including major companies like Yahoo, Google, Facebook, and Microsoft – as they are transmitted through international servers. The aggregated lists, which the Post calls "a sizable fraction of the world’s e-mail and instant messaging accounts," is then analyzed by the NSA to map relationships and search for connections with specific foreign intelligence targets.

The program relies on intercepting the data as it is transmitted across borders, taking advantage of the fact that many major service providers operate servers abroad in order to balance their workload. And rather than accessing corporate servers directly, the program instead grabs data as it is synced between the servers and clients – a procedure that happens whenever users log in or compose a message. That data is nominally a list of names of contacts, but can also include real world information such as street addresses, phone numbers, family and business information, and the first few lines of messages.

Because of the way it culls data, the program in theory does not run afoul of restrictions set by the Foreign Intelligence Surveillance Act, or FISA, which governs such data collection in the US and on American targets. Instead, the program is subject only to executive branch oversight and presidential authority.

However, the Post notes that the program is not "technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets," according to an anonymous US official.

When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”

In practice, data from Americans is collected in large volumes — in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.

A senior U.S. intelligence official said the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”

NSA analysts, he said, may not search within the contacts database or distribute information from it unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”

British technology news site The Register reports that in a speech Mr. Snowden gave last week, but was only published Monday by Democracy Now, he criticizes the volume of data that the US is collecting, and appears to be citing, at least in part, the program revealed by the Post report.

"These [surveillance] programs don’t make us more safe. They hurt our economy. They hurt our country. They limit our ability to speak and think and to live and be creative, to have relationships, to associate freely," said Snowden, who has been accused of aiding terrorists and America's enemies....

Snowden said: "There's a far cry between legal programs, legitimate spying, legitimate law enforcement, where it's targeted, it's based on reasonable suspicion and individualized suspicion and warranted action, and sort of dragnet mass surveillance that puts entire populations under sort of an eye that sees everything, even when it's not needed."

And Alex Wilhelm asks in a story for IT news and commentary site TechCrunch, "if the NSA is willing to accept data from foreign intelligence agencies that it is not able to collect [under FISA restrictions], why not in other cases as well?"

If the NSA won’t respect the constraints that are put in place on its actions for a reason, and will instead shirk its responsibilities and find a way to get all the data it could ever desire, then we have even less reason to trust its constant petitions that it follows the law, and is the only thing keeping the United States safe from conflagration.

The Post includes comments from Microsoft, Google, Facebook, and Yahoo, all of which deny knowledge of and voluntary participation in the US program. The Post notes that according to the documents provided by Snowden, Yahoo sees a disproportionate share of the data the US collects, perhaps due to the fact that it has yet to encrypt all its users' communications. (In contrast, Google was the first to encrypt all its user messages, starting in 2010.) A Yahoo spokesperson told the Post that the company would begin encrypting all email communications in January.