A document recently leaked by Edward Snowden reveals that the National Security Agency is vacuuming up contact lists — address books and “buddy lists” — of people using email or instant messaging. The Agency may also be getting the first few lines of people’s emails, using the same technology. The NSA claims it is only collecting this information overseas, and searching its caches only if there is a foreign intelligence justification. So why worry?
Well, there are a few big things we know, and a couple we don’t. In Donald Rumsfeld’s underappreciated words, these are the known knowns and the known unknowns. And they are all cause for concern.
First, while the NSA may be focusing its efforts overseas, it is getting a lot of Americans’ data too. How? To start with, any American living or traveling overseas will “look” foreign to the NSA. In addition, if Americans correspond with friends overseas by email – which is highly likely – their address can be picked up when those friends are targeted. And remember, a target isn’t necessarily a terrorist. It can be anyone talking about anything of interest to the U.S. government, including a friend who works for a non-governmental organization or bank located outside the United States.
Most significantly, what stays overseas doesn’t necessarily happen overseas. American communications companies — think Google and Facebook — are big. They handle a lot of data. They can’t process it all in the U.S. So they have foreign servers, which may handle Americans’ communications. Thus, even if only foreign locales are targeted, Americans’ contact lists are bound to be swept up as well.
This brings us to the second thing we know: contact lists can tell the government a lot. They can include names, email addresses, phone numbers, physical addresses, birthdays, names of family members, and more. At the same time, they may be deceptive, suggesting connections to people the owner of the list doesn’t even know or knows very little. Indeed, we all receive dozens of emails a day from people and companies we don’t know and probably don’t want to know. The NSA itself has had a problem with spammers taking over targets’ email accounts and emailing thousands of people whose address books are then automatically harvested, leading to a torrent of useless information flooding the NSA’s computers. So these lists offer a double whammy: they are revealing AND potentially misleading.
Finally, we know the government is getting a lot of information: over a million address lists, buddy lists, and inboxes on an average day. Not all of that belongs to Americans, to be sure. But even a modest percentage of a lot can be a lot. And according to the NSA’s own documents, one of the main effects of this data has been to overwhelm the agency’s rather impressive systems. This is the agency that built a database that held 41 billion communications records in a single month. So if it says it’s getting too much, you can take that to the bank.
This brings us to two important things we don’t know. First, what successes, if any, has this sweeping program had that couldn’t be accomplished with more targeted collection? There is good reason to demand a frank answer. The director of the NSA has grudgingly confirmed to Congress that the phone metadata database has made few if any unique contributions to the nation’s safety. That’s why a bipartisan group of senators, many with access to classified information, has proposed shuttering the entire program. A couple of years ago, a similar program for email metadata was finally shut down under pressure from two of those same lawmakers, Sens. Wyden and Udall, when the NSA couldn’t prove its effectiveness. Given this track record, we must learn more about the address list program.
Our second known unknown is how long the government is keeping the contact lists of innocent Americans, their friends, and their friends’ friends. The government has said there are minimization procedures governing this data, but it has kept mum on what those are. If they are anything like the procedures governing the NSA’s handling of the content of Americans’ emails and phone calls, they’re pretty generous. Those procedures, which address the accidental collection of Americans’ communications, allow the NSA to keep Americans’ emails and calls for up to six years from the start of surveillance – longer if they contain foreign intelligence or evidence of a crime. The NSA may not keep the contact lists for so long, simply because they take up so much space. But Americans deserve to know exactly how the government is handling their private information.
No doubt, we will learn about some other NSA collection program soon. But this is the latest picture. The known knowns should give us pause. At the same time, there is a lot we don’t know yet. The public deserves to get answers that will allow an honest assessment of both the value of the NSA’s program and its impact on our liberties. If recent history is any guide, the more information comes out, the harder the program will be to defend.
Rachel Levinson-Waldman is counsel in the Brennan Center’s Liberty and National Security Program and the author of What the Government Does with Americans’ Data.