buddy lists – Techdirt (original) (raw)

Even Senate Intelligence Committee Admits That NSA Oversight Is Often A Game Of 20 Questions

from the look-at-that... dept

We just recently quoted Rep. Justin Amash talking about how Congressional “oversight” of the NSA tended to be this bizarre game of 20 questions, where briefings would be held, but you wouldn’t be told any information unless you asked precisely the right questions:

But Amash said that intelligence officials are often evasive during classified briefings and reveal little new information unless directly pressed.

“You don’t have any idea what kind of things are going on,” Amash said. “So you have to start just spitting off random questions. Does the government have a moon base? Does the government have a talking bear? Does the government have a cyborg army? If you don’t know what kind of things the government might have, you just have to guess and it becomes a totally ridiculous game of twenty questions.”

It would appear that sense goes beyond just folks like Amash, all the way up to the head of the Senate Intelligence Committee, Dianne Feinstein. While she’s still a strong supporter of the NSA’s surveillance programs, the latest revelations about the NSA’s collection of buddy lists and email address books pointed out that those issues weren’t covered by Congressional oversight, since they happened overseas. When the Washington Post questions Feinstein’s office about this, a senior staffer seemed unconcerned, mentioning that perhaps they should be asking questions about it:

Sen. Dianne Feinstein (D-Calif.), chairman of the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence-gathering that relies solely on presidential authority. She said she planned to ask for more briefings on those programs.

“In general, the committee is far less aware of operations conducted under 12333,” said a senior committee staff member, referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. “I believe the NSA would answer questions if we asked them, and if we knew to ask them, but it would not routinely report these things, and in general they would not fall within the focus of the committee.”

That, ladies and gentleman, is the kind of “oversight” that Congress conducts.

Filed Under: buddy lists, congress, inboxes, nsa, nsa surveillance, oversight, senate intelligence committee

NSA Collects Email Contact Lists, Instant Messaging Chat Buddy Lists From Overseas With No Oversight At All

from the well,-there's-that dept

The Washington Post is out with the latest revelations from the Snowden leaks and it shows that the NSA relies on foreign telcos and “allied” intelligence agencies to scoop up data on email contact lists and instant messaging buddy lists to help build its giant database of connections. Remember a few weeks ago how it was reported that the NSA was basically building a secret shadow social network? It seems like this might be one of the ways it’s able to tell who your friends are.

There are a variety of important points here. First off, this information is not coming directly from the tech companies (which, again, suggests that earlier claims that the NSA had direct access to all their servers was mistaken). Rather they’re picking this information up off the backbone connections in foreign countries. It also explains why they get so much data from Yahoo — because, for no good reason at all, Yahoo hasn’t forced encryption on its webmail users until… the news of this started to come out.

And here’s the big problem: because all of this information is collected overseas, rather than at home, it’s not subject to “oversight” (and I use that term loosely) by the FISA court or Congress. Those two only cover oversight for domestic intelligence. The fact that the NSA can scoop up all this data overseas is just a bonus.

Also, while the program is ostensibly targeted at “metadata” concerning connections between individuals, the fact that it collects “inboxes” and “buddy lists” appears to reveal content at times. With buddy lists, it can often collect content that was sent while one participant was offline (where a server holds the message until the recipient is back online), and with inboxes, they often display the beginning of messages, which the NSA collects.

Separately, because this is allowing them to gather so much data, it apparently overwhelmed the NSA’s datacenters. At times, this is because they get inundated with… spam. For example, one of the documents revealed show that a target they had been following in Iran had his Yahoo email address hacked for spamming, and that presented a problem:

In fall 2011, according to an NSA presentation, the Yahoo account of an Iranian target was “hacked by an unknown actor,” who used it to send spam. The Iranian had “a number of Yahoo groups in his/her contact list, some with many hundreds or thousands of members.”

The cascading effects of repeated spam messages, compounded by the automatic addition of the Iranian’s contacts to other people’s address books, led to a massive spike in the volume of traffic collected by the Australian intelligence service on the NSA’s behalf.

After nine days of data-bombing, the Iranian’s contact book and contact books for several people within it were “emergency detasked.”

Because of this mess, the NSA has tried to stop collecting certain types of information, doing “emergency detasks” of certain collections. This, yet again, shows how ridiculous Keith Alexander’s “collect it all” mantra is. When you collect it all, you get inundated with a ton of bogus data, and the information presented here seems to support that.

Filed Under: buddy lists, chat, contacts, email, information, nsa, nsa spying, nsa surveillance, telcos