Here’s another way the National Security Information may be watching you: the agency is collecting over 250 million contact lists from e-mail and instant messaging accounts each year, of which tens of millions of accounts are likely to be American.
Instead of targeting individuals, the NSA is taking mass amounts of contact data as it moves around the world. This purportedly avoids legal concerns that would restrict the program because the actions take place under the assumption that the data collected is not that of U.S. citizens, according to a report from the Washington Post,.
What to Do:If you’re really worried, get offline. Otherwise, unplug from cloud-based address book services that store and share contact info. Same goes for chat services as well as mobile device services that sync contacts to the cloud. Deploy encryption software to staff, for instant messaging and email communications.
The NSA is exploiting U.S. law in a way that is not credible, says director of cybersecurity center.Ready Tweet
“They’re exploiting the way in which U.S. law is constructed and doing it in a way that I don’t think is credible,” says Fred Cate, a professor at Maurer School of Law at Indiana University, Bloomington, and the director of the Center for Applied Cybersecurity Research. “There’s a good faith assertion that this is not U.S. person information being collected. The problem is that in the documents from Snowden they’re advertising that they’re getting U.S. person data and you can’t have it both ways. From that point of view, it’s illegal.”
Even it such contact lists are being collected, even more problematic, according to experts, is the kind of information that can be extrapolated using the personal data that these lists contained. Even if the information contained within is supposedly anonymous, researchers have been able to de-anonymize similar forms of personal data with little trouble.
For example, one researcher showed that with only a zip code, birth date, and sex, 87 percent of the population can be identified.
“I hope this revelation goes a little closer to putting the nail in this coffin of this perception that metadata is not data and is not sensitive,” says Bryan Ford, an assistant professor of computer science at Yale University. “Because it should be obvious to people by now that it’s extremely sensitive.”
The easiest way to stop your address books from landing in the NSA’s lap? Get offline and delete your emails. If that’s not an option, as is true for most people, Ford suggests ceasing use of cloud-based contact lists and address books that sync contact information between devices.
“Whenever anyone uploads their contact list to a cloud based service it gets transmitted and it gets stored in servers all over the world,” Ford says. “A very incomplete first step would be to stick to keeping your contact list on your own machine.”
Once that information is on your computer, make sure that it doesn’t sync to anything else, and if you need to copy or transfer it, copy it manually.
“If you’re even more paranoid, I’d keep contacts you really don’t want in this system on a Post-it note in your basement, or at least in an encrypted text file on your computer rather than address book software.”
Don’t forget the phone. Address books and contact lists may live on the device, but if you’re plugging that device into your computer, they may sync with the computer or with a cloud service backing up that information. With instant messaging, the assumption should be that the content and contacts you use are likely to be interceptible, especially if you use a chat client that shares and saves that data.
“There are some specific programs developed by privacy advocates,” Ford says, referring to Silent Circle and Off the Record, which encrypt communications. “For anyone who is looking for IM products that are at least likely to have considered those issues.
While some experts believe that the NSA has too much data to analyze properly, others worry that even if the collected information is not useful today, it remains stored for some future date where the relevant data could be pulled.
“The piece of this disclosure that is the most troubling is this legal dance that the administration is trying to do to say that it’s lawful activity,” says Cate. “People assume that the motivations in this case were good, but once the ability and the data exists, the next person who does it may not have such wonderful intentions. If it’s legal now, it’ll be legal then, too.”