The U.S. National Security Agency (NSA) Monday defended its data collection practices amid revelations that almost 90% of the data it sweeps up involves ordinary Internet users not suspected of crimes.
NSA spokeswoman Vanee Vines said the agency has long acknowledged that the data it intercepts as part of surveillance activities involves non-suspects in terrorism investigations. And the spy agency has long contended that it employs strong measures to ensure the privacy of such data, she said.
"NSA's authority under Section 702 is limited to targeting foreigners outside of the U.S. for foreign intelligence purposes," Vines said. "As we have always said, we also incidentally intercept the communications of persons in contact with valid foreign intelligence targets."
The Washington Post reported on Saturday that nearly 90% of those whose data is collected in NSA surveillance programs are Internet users with no connection to terrorist activites.
The report was based on the newspaper's analysis of 160,000 online conversations intercepted by the NSA between 2009 and 2012. The data was supplied to the Post by Edward Snowden.
According to the account, about 121,130 of the intercepted conversations were instant messages, 22,100 were email mails, some 3,850 were social media messages and nearly 8,000 were stored documents.
The documents include revelations about a secret overseas nuclear project, a military calamity involving an unfriendly power, the identities of several hackers who broke into U.S. computer networks and the identity of double agent of a supposed U.S. ally, the newspaper said.
The NSA's monitoring of some of the accounts led directly to the capture of two terrorists wanted by U.S. authorities in connection with previous attacks, according to the documents obtained by the Post.
"Many of were [the non-suspects] were Americans. Nearly half of the surveillance files, a strikingly high proportion, contained names, e-mail addresses or other details that the NSA marked as belonging to U.S. citizens or residents," the paper noted.
Some of the intercepted data was very personal -- almost voyeuristic, the Post said.
"They tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are catalogued and recorded nevertheless," the story said.
The data collected by the NSA includes medical records, resumes from job hunters, academic transcripts of school children and other highly personal data.
Kurt Opsahl, deputy general counsel of the Electronic Frontier Foundation said the Post's revelations are disturbing. "It illustrates the far-reaching breadth and scope of the NSA spying program, far beyond what the numbers in the government's transparency report indicate," he said.
By focusing on surveillance "targets," the NSA is hiding the true invasiveness of its surveillance activities. "Keep in mind that the Post's analysis was only of information the government decided to store for years. Even more information was likely sifted through before these communications landed in the NSA database," he said.
The government needs to explain why it had a practice of keeping irrelevant information with personal details of ordinary people, Opsahl noted. "The article revealed the NSA is not making a serious effort to exclude US persons, as required by the law."
The Post's revelations provide a rare glimpse into exactly what the NSA collects as part of its surveillance activities.
According to the Post some of the user accounts in the documents leaked by Snowden appear to have been monitored because they were directly linked with legitimate terrorism suspects. But many other accounts were monitored simply because they happened to be in the same online chat room as a terrorism suspect or used the same foreign IP address as a suspect and other tenuous reasons, the Post said.
Vance downplayed privacy concerns and insisted that the NSA takes all legally mandated steps to ensure that all data it collects is handled in an appropriate manner.
"That's why Congress required that there be rules minimizing the collection, retention, and dissemination of information about U.S. persons," she said in an email to Computerworld.
The rules were approved by the U.S. Attorney General and the Foreign Intelligence Surveillance Court and are designed to minimize the impact of surveillance on Americans who are not targets, Vines said. The agency is now working to extend similar privacy protections to non-suspects living outside the U.S., she said.
Jaikumar Vijayan covers data security and privacy issues, financial services security and e-voting for Computerworld. Follow Jaikumar on Twitter at @jaivijayan or subscribe to Jaikumar's RSS feed. His e-mail address is [email protected].
Read more about cyberwarfare in Computerworld's Cyberwarfare Topic Center.