Snowden leak alleges NSA snooping on web contact lists

Continue reading the main story Related Stories

A document leaked by whistleblower Edward Snowden alleges the National Security Agency collects up to 250 million online address books each year.

The collection of contact lists from both foreign and US email and instant message accounts is outlined in a document leaked to the Washington Post.

Scrutinising such lists allows the NSA to find hidden connections between people of interest to them, it says.

The web firms involved said that they did not give direct access to the NSA.

During a single day last year, the NSA collected 444,743 email address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook and 33,697 from Gmail, according to the alleged internal NSA Powerpoint presentation.

Another 22,881 address books were harvested from unspecified providers, according to the Washington Post.

In response to earlier allegations, Yahoo said that it would begin to encrypt email connections from next year. Meanwhile Facebook called for greater government transparency about data collection and Microsoft said the revelations raised "significant concerns".

The data collection, which the paper says takes place overseas, happens when users log in, compose a message or sync devices.

According to the leaked document, the information is collected at at least 18 key access points controlled by telecommunication companies based outside the US.

Because American web communications can flow outside of the country, the contact lists of US citizens also cross the international collection points, known as Sigads (Signals Intelligence Activity Designators).

This is particularly significant because President Obama has previously said that US citizens were not targeted by the surveillance, which he said struck "the right balance" between security and privacy.

No control

Address books include names and email addresses but can also include telephone numbers, home addresses, and business and family information.

Many web-based email services generate contact lists automatically once an email has been sent. These lists allow users to write emails more quickly by providing an auto-complete suggestion.

Prof Alan Woodward, who is from the University of Surrey's department of computing and has been an adviser to GCHQ (UK Government Communications Headquarters) is not surprised by the latest allegations.

"One of the problems of putting any data in the cloud or with other forms of online service provider is that you no longer have complete control over it," he told the BBC.

"Many of the online service providers are themselves reaching into your machine and pulling your contact list from your PC to their service to 'assist' you in finding other users of the service that you might know and wish to contact or connect with."

Dodgy character

For an intelligence analyst, access to such data would allows them to reconstruct a network of who knows whom among criminals and terrorists.

But Prof Woodward added: "Unfortunately it is quite unreliable in this day and age as we are all in so many people's contact lists that the networks become very tangled.

"Think of the old game where we try to think how we are connected to Kevin Bacon within six steps. By such reasoning Kevin Bacon would be a very dodgy character and not just because of his EE adverts," he added.

Previous Snowden allegations have suggested large-scale NSA spying and attempts to weaken internet encryption.

The NSA said that such surveillance is used to combat terrorism, drug smuggling and human trafficking among other crimes.

It has always maintained it has no interest in the personal information of ordinary Americans.

But NSA director general Keith Alexander has defended the bulk collection of internet communications, saying that counter-terrorism and serious crime-fighting requires "the haystack to find the needle".