Article Lead Image

The NSA has your address book

Internal slides show the agency gets half a million address books a day on average.


Kevin Collier


The National Security Agency sucks up Internet users’ contact lists and address books on a massive scale, according to previously unseen documents published Monday by the Washington Post.

It’s yet another revelation provided by former NSA contractor Edward Snowden, presented in PowerPoint slideshow form.

The documents shed light on the agency’s previously established practice of choosing new surveillance targets based on “contact-chaining”—looking not just at a person of interest but at the people within a few degrees of separation, too.

Previously leaked documents show that one method the NSA employs is to search for who’s “included in the ‘buddy list’ or address book” of an established target. It wasn’t explicitly clear at the time how the NSA gets that information.

One example of compiling contact lists, according to the slides, is that the agency can collect scores of contacts through an idle Yahoo messenger user. The agency engages in brief “sporadic collection” sessions, more than 30,000 to 60,000 times a day. It searches for email metadata—who a user emails with, and when. It doesn’t include the contents of those emails, and it’s unclear if it tracks users’ locations.

The practice reflects fits the U.S. intelligence community’s oft-repeated remark that “If you’re looking for the needle in a haystack, you have to have the haystack.” And the end result is mind-boggling in scale. According to one slide, “NSA collects, on a representative day, ~500,000 buddylists and inboxes.” In an single day in 2012, the agency acquired “444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from miscellaneous others

The U.N. estimates there are 2.7 billion Internet users in the world in 2013. Were that number to remain constant (it won’t), the NSA would be on pace to collect an address book per person in under 15 years. It’s unclear when this program started. 

To give a sense of how broadly the agency can move from one person to another, the slides cite a single Yahoo email user, whose username the Post redacted, marked as a member of Iranian Army’s elite Quds Force. That soldier was hacked and the email address began sending out spam, providing the NSA with a host of new contacts.

But it was apparently system overload for that particular operation. According to the Post’s analysis, “the spam created so many false connections that the Yahoo account had to be ‘emergency detasked’ to prevent the collection system from overflowing.” According to the slide, “Inboxes where the recipient did not delete the spam message continued to be collected every time they were viewed.”

A representative at the office of James Clapper, the director of National Intelligence (ODNI), told the Post that the NSA is focused on gathering intelligence on terrorists and human traffickers, and it’s “not interested in personal information about ordinary Americans.” However, it’s not clear that Americans wouldn’t be swept up in such a mass collection.

The ODNI didn’t immediately respond to the Daily Dot’s request for clarification.

Illustration by Jason Reed

The Daily Dot