NSA E-Spying: Bad GovernanceHarvesting Millions of E-mail Contacts, Buddy Lists
In addition to raising concerns about violating Americans' civil liberties, revelations about how the National Security Agency collects and uses e-mail and instant messaging contact lists demonstrate bad data governance practices, a leading privacy attorney says.
See Also: Rethinking Endpoint Security
Fundamental rules of good data governance call for only collecting what is needed for a purpose, giving access to only those who need to know and then scrubbing the information when it's no longer needed. "Putting aside the Fourth Amendment issues, NSA is not even following these basic principles," attorney Ron Raether says. "NSA is collecting everything about everyone and keeping all of it in the event it might become relevant."
The Washington Post reported on Oct. 14 that the NSA is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans, according to senior intelligence officials and top-secret documents provided by former NSA contractor Edward Snowden.
Revelations on the NSA collection of e-mail accounts and instant messaging are the latest of a long line of government e-spying leaks coming from files Edward Snowden amassed surreptitiously when he worked as an NSA contractor with top-secret security clearance (see Edward Snowden Is No Daniel Ellsberg).
The Post reports the collection program intercepts e-mail address books and buddy lists from instant messaging services as they move across global data links. Rather than target individual users, the NSA gathers contact lists in large numbers that amount to a sizable portion of the world's e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and to map relationships within a much smaller universe of foreign intelligence targets.
Americans Swept Up
The NSA collection takes place overseas, but two senior U.S. intelligence officers told the Post that it sweeps in the contacts of many Americans. They declined to offer an estimate but did not dispute that the number of Americans affected is likely to be in the millions or tens of millions.
Shawn Turner, a spokesman for the Office of the Director of National Intelligence, which oversees the NSA, tells the Post the agency "is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers and drug smugglers. We are not interested in personal information about ordinary Americans."
Turner says the rules approved by Attorney General Eric Holder require the NSA to "minimize the acquisition, use and dissemination" of information that identifies a U.S. citizen or permanent resident.
But Francoise Gilbert, a lawyer specializing in privacy, security and cloud computing, contends that's easier said than done, pointing out that much of the data the NSA captures likely resides on servers scattered around the globe.
"In a world where data reside on a cloud, most data that we use or collect are, at any time, located in a foreign country," says Gilbert of the IT Law Group. "The new information - assuming it is not fabricated, accurate, not taken out of context, etc. - only adds to the overwhelming amount of information that we have received so far. Before pointing the finger, we need to evaluate how reliable this information is, where it comes from, whether it has been fabricated, taken out of context, etc. From a legal standpoint, what I think we should ask is: What gave the U.S. government the right to collect such a massive amount of information?"
Raether picks up on the theme of data integrity, maintaining that the NSA can't distinguish between whether the information comes from a terrorist, a criminal or a law-abiding citizen. "We can only conclude that NSA does not have the controls in place to make sure this information is not misused, intentionally by a bad actor or by a NSA agent that has personally concluded that a person or business should be compromised even if unrelated to criminal activity," says Raether, who specializes in privacy and data security law as a partner at the law firm Faruki Ireland & Cox.
Citing the United Nation's Declaration of Human Rights, Gilbert questions the right of one nation to subject citizens of other nations to the "arbitrary interference with their privacy."
"If the U.S. wants some respect from all countries, it has to get rid of the notion of some things are OK because it affects 'them,' i.e., the non-U.S. residents," she says.
No Public Outcry
Jonathan Turley, a legal scholar who teaches at George Washington University, says the NSA program creates a databank system that lets the government observe and track virtually every contact and association of a person's life. But, he suggests, most Americans don't seem to care.
Turley, in a blog posting, says the latest revelations suggest the American public accepts that their online activities are being monitored by the federal government.
"The most amazing aspect of this story is the complete lack of response or outcry," Turley says. "President Obama has succeeded, it seems, in changing the expectations of privacy in our society - a change that is unlikely to be reversed to the great detriment of civil liberties in America. It is the latest example of why it is increasingly curious for Americans to refer to this country as 'the land of the free' as we construct a massive internal security state and unchecked executive powers."
Yet, Jay Stanley, a senior policy analyst at the American Civil Liberties Union, sees a silver lining to the NSA programs that collect e-mail addresses, buddy lists and phone numbers. "When it comes to privacy, good policy often emerges only when politicians and other policymakers start to feel personally threatened by its violation," he says. "Maybe, as members of Congress and others start to live their lives under the cloud of NSA surveillance, will we see the strong response that is needed."
Until then, Raether says, adding e-mail addresses and buddy lists to the vast data warehouse of phone numbers the NSA maintains jeopardizes privacy.
"Buddy lists and e-mail address books contain, at a minimum, contact information, such as who is associated with what numbers," he says. "Thus, combining the two data sets allows the NSA to draw conclusions as to who the intercepted calls are between. It also enables them to learn more about the callers and what they might be discussing."
In addition, e-mail address books and buddy lists include other types of information, such as the names and addresses of relatives, places of employment, and dates of birth. Free-text fields could include IDs and passwords for online accounts, creating even greater security concerns. "Such details alone could be used to social engineer a security breach," Raether says.
Indeed, it's that threat of social engineering that should be of concern to chief information security officers and other IT security specialists charged with protecting systems, the attorney says.
"If the NSA can intercept this information, then can others do so as well? Is the intercepted information being used for social engineering? Does it include passwords stored in free-text fields? The answer to these questions is likely 'yes,'" Raether says.