The US National Security Agency's (NSA) mass internet surveillance programmes collect more data from ordinary internet users than legitimate targets, a study has shown.
Nine out of 10 people in a cache of intercepted communications leaked by whistleblower Edward Snowden were not the intended targets of its surveillance, reveals a study by The Washington Post.
The study is based on 160,000 intercepted conversations, including more than 120,000 instant messages, around 22,000 emails and nearly 4,000 social network messages from 11,400 users.
They were collected using internet surveillance programmes such as Prism and the Upstream collection, a set of surveillance programmes that tap directly into the internet backbone.
The study reveals for the first time that Snowden managed to obtain the content of intercepted communications.
The leaked data came from domestic NSA operations under the authority granted by Congress in 2008, with amendments to the Foreign Intelligence Surveillance Act (FISA).
Read more about internet surveillance
- Former UK security minister calls for tighter surveillance law
- Mass surveillance must end, says EU inquiry
- State surveillance keeping a third of firms from the cloud
- Bruce Schneier: Time for society to decide on internet surveillance
- MEPs call for immediate halt to NSA surveillance
- RSA 2014: FBI director promises surveillance with privacy
- Clegg calls for transparency in UK security surveillance
- UK intelligence heads defend mass surveillance operations
FISA content is generally stored in closely controlled data repositories and, for more than a year, senior government officials have depicted it as beyond Snowden’s reach, The Washington Post said.
NSA's lax criteria
The paper’s study shows that even when focused on legitimate targets, the NSA’s surveillance programmes collected conversations mainly between innocent internet users.
The data also included medical records, intimate chat messages and photographs of young children.
To spy on the content of US communications, the NSA has to get an individual warrant but, for foreigners, no warrant is needed.
Many of these communications got swept up because the NSA had lax criteria when it came to determining if the target was a US citizen or a foreigner, according to The Washington Post.
Harm to privacy
NSA analysts worked under the assumption that non-English emails belonged to foreigners, or that all people on a foreign target's contact list were also foreigners, the paper said.
According to a recent “transparency” report by the agency that oversees US spy agencies, the NSA spied on nearly 90,000 targets in 2013.
The Snowden documents show that from 2009 to 2012, the proportion of targets to non-targets was 1 to 9.
If this ratio was the same in 2013, it would mean the NSA collected internet communications of around 810,000 people in that year.
While there are discoveries of considerable intelligence value in the intercepted messages, The Washington Post said the study has also revealed “collateral harm to privacy on a scale that the Obama administration has not been willing to address”.
UK call for privacy
In June 2013, former UK security minister Pauline Neville-Jones called for the law governing mass internet surveillance to be tightened up.
Her call came after a challenge by privacy groups forced top UK counter-terrorism official Charles Farr to reveal a secret government policy justifying mass surveillance of social media users in the UK.
Neville-Jones said Farr’s legal justification for mass surveillance of the internet risked undermining public confidence in the intelligence services.
She also supported calls for the Regulation of Investigatory Powers Act (Ripa) to be tightened up and more detail and controls added.
"If it is the case that officials are exploiting loopholes in the law to get externally generated information that they would not otherwise be able to get [without a warrant], then that's something I would not endorse," said Neville-Jones.