The National Security Agency is collecting hundreds of millions of contact lists from e-mail and instant message accounts from around the world, according to a Washington Post report.
The collection, which was revealed in documents supplied by NSA whistleblower Edward Snowden, occurs when Internet services transmit the data, typically when users log in, compose a message, or sync devices, the Post reported Monday. The agency is said to analyze that data to identify hidden connections among foreign intelligence targets.
The agency collects an estimated 500,000 buddy lists on chat services and Web-based e-mail every day, according to an internal NSA PowerPoint presentation reviewed by the Post.
During a single day last year, the NSA's Special Source Operations branch collected 444,743 e-mail address books from Yahoo, 105,068 from Hotmail, 82,857 from Facebook, 33,697 from Gmail and 22,881 from unspecified other providers, according to an internal NSA PowerPoint presentation. Those figures, described as a typical daily intake in the document, correspond to a rate of more than 250 million per year.
The collection, which occurs overseas, hinges on arrangements with telecommunications companies and foreign intelligence agencies with access to facilities that route data on the Internet's main lines, the Post said. The agency is not authorized to collect the information from facilities in the United States, but US intelligence officials told the Post that contact lists for Americans are often harvested in the sweep.
The NSA said the data it collects is used to combat terrorism and an array of other crimes.
"The National Security Agency is focused on discovering and developing intelligence about valid foreign intelligence targets like terrorists, human traffickers, and drug smugglers," the agency said in a statement. "We are not interested in personal information about ordinary Americans. Moreover, we operate in accordance with rules approved by either the Attorney General or the Foreign Intelligence Surveillance Court, as appropriate, designed to minimize the acquisition, use, and dissemination of any such information."
Because the data is being collected while it is in transit on the Internet rather than from storage on servers, the agency doesn't have to notify Internet services or ask for their help.
"We have neither knowledge nor participation in this mass collection of Web mail addresses or chat lists by the government," a Google spokesperson told CNET in a statement.
Yahoo issued a similar statement, saying, "We are not aware of nor have we participated in the alleged mass collection of user data by the government."
A Microsoft spokesperson told CNET it found the allegations troubling.
"Microsoft does not provide any government with direct or unfettered access to our customer's data," a Microsoft representative said in a statement. "We would have significant concerns if these allegations about government actions are true."
Facebook used the revelation to once again push the government for greater transparency regarding data-collection activities and the related requests made of Internet and telecommunications companies.
"As we have said many times, we believe that while governments have an important responsibility to keep people safe, it is possible to do so while also being transparent," a Facebook representative said. "We strongly encourage all governments to provide greater transparency about their efforts aimed at keeping the public safe, and we will continue to be aggressive advocates for greater disclosure."
A Yahoo spokesperson told the Post that it would begin using SSL (Secure Sockets Layer) to encrypt e-mail connections. Google has always offered Gmail users the ability to use HTTPS (Hypertext Transfer Protocol Secure) and made it the default setting in 2010.
The NSA's program comes to light amid scrutiny of the methods used by the US intelligence and law enforcement community, which, critics say, has run roughshod over privacy rights and the Constitution in the name of national security.
CNET reported in July that the US government has attempted to obtain the master encryption keys that Internet companies use to shield millions of users' private Web communications from eavesdropping. However, a source said that large Internet companies have resisted the requests on the grounds that they go beyond what the law permits,
In August, encrypted e-mail service Lavabit suddenly closed up after the FBI obtained a search warrant demanding that it turn over the keys to its data encryption to further the agency's effort to trace a single Lavabit user. Lavabit, which uses encryption to prevent messages from being read by anyone other than the sender or recipient, was the service Snowden allegedly used to send a message to a Human Rights Watch representative in July.
Updated at 6:30 p.m. PT with statements from Microsoft, Facebook, and Yahoo.