Monday, December 9, 2013
By Barton Gellman And Ashkan Soltani
The Washington Post
(Continued from page 1)
National Security Agency Director Gen. Keith Alexander oversees an agency that collects hundreds of thousands of email address books on a daily basis from top U.S. services like Gmail and Yahoo.
The Associated Press
Because of the method employed, the agency is not legally required or technically able to restrict its intake to contact lists belonging to specified foreign intelligence targets, he said.
When information passes through “the overseas collection apparatus,” the official added, “the assumption is you’re not a U.S. person.”
In practice, data from Americans is collected in large volumes – in part because they live and work overseas, but also because data crosses international boundaries even when its American owners stay at home. Large technology companies, including Google and Facebook, maintain data centers around the world to balance loads on their servers and work around outages.
A senior U.S. intelligence official said that the privacy of Americans is protected, despite mass collection, because “we have checks and balances built into our tools.”
NSA analysts, he said, may not search or distribute information from the contacts database unless they can “make the case that something in there is a valid foreign intelligence target in and of itself.”
In this program, the NSA is obliged to make that case only to itself or others in the executive branch. With few exceptions, intelligence operations overseas fall solely within the president’s legal purview. The Foreign Intelligence Surveillance Act, enacted in 1978, imposes restrictions only on electronic surveillance that targets Americans or takes place on U.S. territory.
By contrast, the NSA draws on authority in the Patriot Act for its bulk collection of domestic phone records, and it gathers online records from U.S. Internet companies, in a program known as PRISM, under powers granted by Congress in the FISA Amendments Act. Those operations are overseen by the Foreign Intelligence Surveillance Court.
Sen. Dianne Feinstein, D-Calif., chairman of the Senate Intelligence Committee, said in August that the committee has less information about, and conducts less oversight of, intelligence-gathering that relies solely on presidential authority. She said she planned to ask for more briefings on those programs.
“In general, the committee is far less aware of operations conducted under 12333,” said a senior committee staff member, referring to Executive Order 12333, which defines the basic powers and responsibilities of the intelligence agencies. “I believe the NSA would answer questions if we asked them, and if we knew to ask them, but it would not routinely report these things, and in general they would not fall within the focus of the committee.”
Because the agency captures contact lists “on the fly” as they cross major Internet switches, rather than “at rest” on computer servers, the NSA has no need to notify the U.S. companies that host the information or to ask for help from them.
It is unclear why the NSA collects more than twice as many address books from Yahoo than the other big services combined. One possibility is that Yahoo, unlike other service providers, has left connections to its users unencrypted by default.
Suzanne Philion, a Yahoo spokesman, said Monday in response to an inquiry from The Washington Post that, beginning in January, Yahoo would begin encrypting all its email connections.
Google was the first to secure all its email connections, turning on “SSL encryption” globally in 2010. People with inside knowledge said the move was intended in part to thwart large-scale collection of its users’ information by the NSA and other intelligence agencies.
The volume of NSA contacts collection is so high that it has occasionally threatened to overwhelm storage repositories, forcing the agency to halt its intake with “emergency detasking” orders. Three NSA documents describe short-term efforts to build an “across-the-board technology throttle for truly heinous data” and longer-term efforts to filter out information that the NSA does not need.