NSA collects e-mail address books in Internet surveillance

Remember when James Clapper and Keith Alexander insisted in Congressional testimony that the NSA didn’t collect e-mail data from Americans? Good times, good times.  The Washington Post Barton Gellman and Askhan Soltani reported last night that the NSA vacuums up hundreds of thousands of e-mail address books a day, at a rate approaching 250 million a year, in order to find links to terrorists within the data:

The National Security Agency is harvesting hundreds of millions of contact lists from personal e-mail and instant messaging accounts around the world, many of them belonging to Americans, according to senior intelligence officials and top-secret documents provided by former NSA contractor Edward Snowden.

The collection program, which has not been disclosed before, intercepts e-mail address books and “buddy lists” from instant messaging services as they move across global data links. Online services often transmit those contacts when a user logs on, composes a message, or synchronizes a computer or mobile device with information stored on remote servers.

Rather than targeting individual users, the NSA is gathering contact lists in large numbers that amount to a sizable fraction of the world’s e-mail and instant messaging accounts. Analysis of that data enables the agency to search for hidden connections and to map relationships within a much smaller universe of foreign intelligence targets.

During a single day last year, the NSA’s Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million a year.

Previously, the Obama administration insisted that the NSA only looked at metadata on e-mail and phone communications, likening it to reading the outside of envelopes. They weren’t looking at the content, Clapper and Alexander argued after their testimony got exposed as misleading, and so weren’t infringing on privacy.

This looks like a different kettle of fish.  This isn’t like looking at the outside of envelopes placed in the mail system, an action which courts have ruled carries no expectations of privacy. This is more akin to breaking into homes and rifling through the private address books left in the top right corner of the end table under the phone.  It’s not a fleeting look at data on outbound or inbound communications, but grabbing information from within private accounts that isn’t sent out at all — without permission, and without any probable cause.

Would that information help identify terrorists? Maybe, but that’s not the threshold of legality in this constitutional republic, either. Gellman and Soltani argue that this part of the NSA’s efforts don’t even meet their previous threshold of legality:

The NSA has not been authorized by Congress or the special intelligence court that oversees foreign surveillance to collect contact lists in bulk, and senior intelligence officials said it would be illegal to do so from facilities in the United States. The agency avoids the restrictions in the Foreign Intelligence Surveillance Act by intercepting contact lists from access points “all over the world,” one official said, speaking on the condition of anonymity to discuss the classified program. “None of those are on U.S. territory.”

Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said.

When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”

That kind of information could connect dots in more than just counter-terrorism operations.  Has this data been used in leak investigations?