Logo for Special Source Operations branch of NSA from PowerPoint disclosed by Edward Snowden
The National Security Agency‘s Special Source Operations branch manages “partnerships” in which U.S. and foreign telecommunications companies allow the NSA to use their facilities to intercept phone calls, e-mails and other data. This briefing describes problems with overcollection of data from e-mail address books and buddy lists, as well as NSA efforts to filter out what it does not need.
The details
What is a “session”?
A session is another term for a data interchange between two computers, such as when you log into a service or mail is transfered. Each of these “sessions” crosses the NSA’s collection points, filling storage repositories with redundant data.
“Selectors detasked”
Selectors are the NSA’s term for what it is searching for — such as an e-mail address or phone number. Detasking means the agency stops collection. This slide laments that the Yahoo Messenger problem forced it to stop collecting important information about Greece and Libya.
How many address books are collected?
This slide sets out the number of contact lists collected on a single day, Jan. 10, 2012, from the six top overseas access points, which are designated by alphanumeric codes. The “US” prefix denotes an NSA access point and “DS” refers to the NSA’s Australian counterpart.
MARINA/MAINWAY/PINWALE
MARINA is an NSA database and analysis tool for internet metadata. MAINWAY is primarily for telephone metadata for contact chaining, and PINWALE for written content.
“Attributable”
Address books make up an unexpectedly large share of information pulled in by the NSA. Many of them are less useful to the NSA because they are “unattributed,” with the owners unknown.
Why collect “buddy lists”?
Buddy lists sometimes include the text of messages waiting to be delivered, which count as content. Webmail inboxes, which list new messages, often include a line or two of the text.
“~500,000 buddy lists and inboxes collected on a representative day”
When the NSA searches for a specific target, such as an e-mail address used by a terrorist, it usually finds only a listing in someone else’s address book. More valuable finds — the target’s own address book, a person communicating with the target or a message that mentions the target — are rarer.
A targeted account gets hacked
This and the next three slides tell the story of an e-mail account, under NSA surveillance, that was hacked and subsquentaly used by spammers to send bulk mail. S2E is the Middle East and North Africa office of the NSA’s Analysis and Production subdirectorate.
Spammers complicate collection
The user of this e-mail account had a number of Yahoo groups in his or her address book, some of them with thousands of members. Spammers used the account to send e-mails to all of them.
Targeted account detasked
The spam created so many false connections that the Yahoo account had to be “emergency detasked” to prevent the collection system from overflowing.
GRAPHIC: Barton Gellman and Matt DeLong – The Washington Post.
GeoIntel.Blog.4.Italian/SMEs 