NSA defends collecting data from U.S. residents not suspected of terrorist activities

Spokeswoman says spy agency has long said some of the data it intercepts belonging to non-suspects

The U.S. National Security Agency (NSA) Monday defended its data collection practices amid revelations that almost 90% of the data it sweeps up involves ordinary Internet users not suspected of crimes.

NSA spokeswoman Vanee Vines said the agency has long acknowledged that the data it intercepts as part of surveillance activities involves non-suspects in terrorism investigations. And the spy agency has long contended that it employs strong measures to ensure the privacy of such data, she said.

"NSA's authority under Section 702 is limited to targeting foreigners outside of the U.S. for foreign intelligence purposes," Vines said. "As we have always said, we also incidentally intercept the communications of persons in contact with valid foreign intelligence targets."

The Washington Post reported on Saturday that nearly 90% of those whose data is collected in NSA surveillance programs are Internet users with no connection to terrorist activites.

The report was based on the newspaper's analysis of 160,000 online conversations intercepted by the NSA between 2009 and 2012. The data was supplied to the Post by Edward Snowden.

According to the account, about 121,130 of the intercepted conversations were instant messages, 22,100 were email mails, some 3,850 were social media messages and nearly 8,000 were stored documents.

The documents include revelations about a secret overseas nuclear project, a military calamity involving an unfriendly power, the identities of several hackers who broke into U.S. computer networks and the identity of double agent of a supposed U.S. ally, the newspaper said.

The NSA's monitoring of some of the accounts led directly to the capture of two terrorists wanted by U.S. authorities in connection with previous attacks, according to the documents obtained by the Post.

"Many of were [the non-suspects] were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents," the paper noted.

Some of the intercepted data was very personal -- almost voyeuristic, the Post said.

"They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless," the story said.

The data collected by the NSA includes medical records, resumes from job hunters, academic transcripts of school children and other highly personal data.

Kurt Opsahl, deputy general counsel of the Electronic Frontier Foundation said the Post's revelations are disturbing. "It illustrates the far-reaching breadth and scope of the NSA spying program, far beyond what the numbers in the government's transparency report indicate," he said.

By focusing on surveillance "targets," the NSA is hiding the true invasiveness of its surveillance activities. "Keep in mind that the Post's analysis was only of information the government decided to store for years. Even more information was likely sifted through before these communications landed in the NSA database," he said.

The government needs to explain why it had a practice of keeping irrelevant information with personal details of ordinary people, Opsahl noted. "The article revealed the NSA is not making a serious effort to exclude US persons, as required by the law."

The Post's revelations provide a rare glimpse into exactly what the NSA collects as part of its surveillance activities.

According to the Post some of the user accounts in the documents leaked by Snowden appear to have been monitored because they were directly linked with legitimate terrorism suspects. But many other accounts were monitored simply because they happened to be in the same online chat room as a terrorism suspect or used the same foreign IP address as a suspect and other tenuous reasons, the Post said.

Vance downplayed privacy concerns and insisted that the NSA takes all legally mandated steps to ensure that all data it collects is handled in an appropriate manner.

"That's why Congress required that there be rules minimizing the collection, retention, and dissemination of information about U.S. persons," she said in an email to Computerworld.

The rules were approved by the U.S. Attorney General and the Foreign Intelligence Surveillance Court and are designed to minimize the impact of surveillance on Americans who are not targets, Vines said. The agency is now working to extend similar privacy protections to non-suspects living outside the U.S., she said.

Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is jvijayan@computerworld.com.

See more by Jaikumar Vijayan on Computerworld.com.

Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.

Join the CSO newsletter!

Error: Please check your email address.

Tags National Security AgencysecuritycyberwarfarensaU.S. National Security Agencywashington postprivacyVine

More about Electronic Frontier FoundationNational Security AgencyNSATopic

Show Comments

Featured Whitepapers

Editor's Recommendations

Solution Centres

Stories by Jaikumar Vijayan

Latest Videos

  • 150x50

    CSO Webinar: The Human Factor - Your people are your biggest security weakness

    ​Speakers: David Lacey, Researcher and former CISO Royal Mail David Turner - Global Risk Management Expert Mark Guntrip - Group Manager, Email Protection, Proofpoint

    Play Video

  • 150x50

    CSO Webinar: Current ransomware defences are failing – but machine learning can drive a more proactive solution

    Speakers • Ty Miller, Director, Threat Intelligence • Mark Gregory, Leader, Network Engineering Research Group, RMIT • Jeff Lanza, Retired FBI Agent (USA) • Andy Solterbeck, VP Asia Pacific, Cylance • David Braue, CSO MC/Moderator What to expect: ​Hear from industry experts on the local and global ransomware threat landscape. Explore a new approach to dealing with ransomware using machine-learning techniques and by thinking about the problem in a fundamentally different way. Apply techniques for gathering insight into ransomware behaviour and find out what elements must go into a truly effective ransomware defence. Get a first-hand look at how ransomware actually works in practice, and how machine-learning techniques can pick up on its activities long before your employees do.

    Play Video

  • 150x50

    CSO Webinar: Get real about metadata to avoid a false sense of security

    Speakers: • Anthony Caruana – CSO MC and moderator • Ian Farquhar, Worldwide Virtual Security Team Lead, Gigamon • John Lindsay, Former CTO, iiNet • Skeeve Stevens, Futurist, Future Sumo • David Vaile - Vice chair of APF, Co-Convenor of the Cyberspace Law And Policy Community, UNSW Law Faculty This webinar covers: - A 101 on metadata - what it is and how to use it - Insight into a typical attack, what happens and what we would find when looking into the metadata - How to collect metadata, use this to detect attacks and get greater insight into how you can use this to protect your organisation - Learn how much raw data and metadata to retain and how long for - Get a reality check on how you're using your metadata and if this is enough to secure your organisation

    Play Video

  • 150x50

    CSO Webinar: How banking trojans work and how you can stop them

    CSO Webinar: How banking trojans work and how you can stop them Featuring: • John Baird, Director of Global Technology Production, Deutsche Bank • Samantha Macleod, GM Cyber Security, ME Bank • Sherrod DeGrippo, Director of Emerging Threats, Proofpoint (USA)

    Play Video

  • 150x50

    IDG Live Webinar:The right collaboration strategy will help your business take flight

    Speakers - Mike Harris, Engineering Services Manager, Jetstar - Christopher Johnson, IT Director APAC, 20th Century Fox - Brent Maxwell, Director of Information Systems, THE ICONIC - IDG MC/Moderator Anthony Caruana

    Play Video

More videos

Blog Posts