9 of 10 Net users in leaked data were not spy targets

WASHINGTON -- Ordinary Internet users in the U.S. and abroad far outnumber legally targeted foreigners in the communications intercepted by the National Security Agency from U.S. digital networks, according to a four-month investigation by The Washington Post.

Nine of 10 account holders found in a large cache of intercepted conversations, which former National Security Agency contractor Edward Snowden provided in full, were not the intended surveillance targets but were caught in a net the agency had cast for someone else.

Many of them were Americans. Nearly half of the surveillance files contained names, email addresses or other details that the agency marked as belonging to U.S. citizens or residents. Agency analysts masked, or "minimized," more than 65,000 such references to protect Americans' privacy, but the investigation found nearly 900 additional email addresses, unmasked in the files, that could be linked to U.S. citizens or residents.

Among the conversations' contents -- which The Washington Post will not describe in detail, to avoid harming ongoing operations -- are fresh revelations about a secret overseas nuclear project, double-dealing by an ostensible ally, a military calamity that befell an unfriendly power, and the identities of aggressive intruders into U.S. computer networks.

Months of tracking communications across more than 50 alias accounts, the files show, led directly to the 2011 capture in Abbottabad of Muhammad Tahir Shahzad, a Pakistan-based bomb builder, and Umar Patek, a suspect in a 2002 terrorist bombing on the Indonesian island of Bali. At the request of CIA officials, The Washington Post is withholding other examples that officials said would compromise ongoing operations.

Many other files, described as useless by the analysts but nonetheless retained, tell stories of love and heartbreak, illicit sexual liaisons, mental-health crises, political and religious conversions, financial anxieties and disappointed hopes. The daily lives of more than 10,000 account holders who were not targeted are cataloged and recorded nevertheless.

The cache of intercepted communications Snowden provided came from domestic agency operations under the broad authority granted by Congress in 2008 with amendments to the Foreign Intelligence Surveillance Act. That content is generally stored in closely controlled data repositories, and for more than a year, senior government officials have depicted it as beyond Snowden's reach.

About 160,000 intercepted email and instant-message conversations were reviewed, some of them hundreds of pages long, as well as 7,900 documents taken from more than 11,000 online accounts.

The material spans President Barack Obama's first term, from 2009 to 2012, a period of exponential growth for the spy agency's domestic collection.

The files show the changes wrought by Section 702 of the surveillance act amendments, which enabled the National Security Agency to make freer use of methods that for 30 years had required probable cause and a warrant from a judge. One program, code named Prism, extracts content stored in user accounts at Yahoo, Microsoft, Facebook, Google and five other leading Internet companies. Another, known inside the agency as Upstream, intercepts data on the move as it crosses the U.S. junctions of global voice and data networks.

No government oversight body has delved into a comparably large sample of what the National Security Agency actually collects -- not only from its targets but from people who may cross a target's path.

Among the latter are medical records sent from one family member to another, resumes from job hunters and academic transcripts of schoolchildren. In one photo, a young girl in religious dress beams at a camera outside a mosque.

Scores of pictures show infants and toddlers in bathtubs, on swings, sprawled on their backs and kissed by their mothers. In some photos, men show off their physiques. In others, women model lingerie, leaning suggestively into a webcam or striking risque poses in shorts and bikini tops.

By law, the agency may "target" only foreigners located overseas unless it obtains a warrant based on probable cause from a special surveillance court. For collection under Prism and Upstream rules, analysts must state a reasonable belief that the target has information of value about a foreign government, a terrorist organization or the spread of nonconventional weapons.

Most of the people caught up in those programs are not the targets and would not lawfully qualify as such. "Incidental collection" of third-party communications is inevitable in many forms of surveillance, but in other contexts the U.S. government works harder to limit and discard irrelevant data. In criminal wiretaps, for example, the FBI is supposed to stop listening to a call if a suspect's wife or child is using the phone.

There are many ways to be swept up incidentally in surveillance aimed at a valid foreign target. Some of those in the Snowden archive were monitored because they interacted directly with a target, but others had tenuous links.

If a target entered an online chat room, the agency collected the words and identities of every person who posted there, regardless of subject, as well as every person who simply "lurked," reading passively what other people wrote.

In other cases, the agency designated as its target the Internet protocol, or IP, address of a computer server used by hundreds of people.

The agency treats all content intercepted incidentally from third parties as permissible to retain, store, search and distribute to its government customers. Raj De, the agency's general counsel, has testified that the agency does not generally attempt to remove irrelevant personal content because it is difficult for one analyst to know what might become relevant to another.

The Obama administration has declined to discuss the scale of incidental collection. The National Security Agency, backed by National Intelligence Director James Clapper Jr., has asserted that it is unable to make any estimate, even in classified form, of the number of Americans swept in.

If Snowden's sample is representative, the population under scrutiny in the Prism and Upstream programs is far larger than the government has suggested. In a June 26 "transparency report," the Office of the Director of National Intelligence disclosed that 89,138 people were targets of last year's collection under the surveillance act's Section 702. At the 9-to-1 ratio of incidental collection in Snowden's sample, the office's figure would correspond to nearly 900,000 accounts, targeted or not, under surveillance.

Unmasked identities

U.S. intelligence officials declined to confirm or deny in general terms the authenticity of the intercepted content provided by Snowden, but they made off-the-record requests to withhold specific details that they said would alert the targets of ongoing surveillance. Some officials, who declined to be quoted by name, described Snowden's handling of the sensitive files as reckless.

In an interview, Snowden said "primary documents" offered the only path to a concrete debate about the costs and benefits of Section 702 surveillance. He did not favor public release of the full archive, he said, but he did not think a reporter could understand the programs "without being able to review some of that surveillance, both the justified and unjustified."

Snowden said the Prism and Upstream programs have "crossed the line of proportionality."

"Even if one could conceivably justify the initial, inadvertent interception of baby pictures and love letters of innocent bystanders," he added, "their continued storage in government databases is both troubling and dangerous. Who knows how that information will be used in the future?"

For close to a year, National Security Agency and other government officials appeared to deny, in congressional testimony and public statements, that Snowden had any access to the material.

As recently as May, shortly after he retired as agency director, Gen. Keith Alexander denied that Snowden could have passed such content to journalists.

Robert Litt, the general counsel for the Office of the Director of National Intelligence, said in a statement that Alexander and other officials were speaking only about "raw" intelligence, the term for intercepted content that has not yet been evaluated, stamped with classification markings or minimized to mask U.S. identities.

"We have talked about the very strict controls on raw traffic, the training that people have to have, the technological lockdowns on access," Litt said. "Nothing that you have given us indicates that Snowden was able to circumvent that in any way."

Snowden said he did not need to circumvent those controls because his final position as a contractor for Booz Allen at the National Security Agency's Hawaii operations center gave him "unusually broad, unescorted access to raw SIGINT [signals intelligence] under a special 'Dual Authorities' role," a reference to Section 702 for domestic collection and Executive Order 12333 for collection overseas. Those credentials, he said, allowed him to search stored content without prior approval.

"If I had wanted to pull a copy of a judge's or a senator's email, all I had to do was enter that selector into XKEYSCORE," one of the agency's main query systems, he said.

The agency has released an email exchange acknowledging that Snowden took the required training classes for access to those systems.

At one level, the National Security Agency shows scrupulous care in protecting the privacy of U.S. citizens and, by policy, those of its four closest intelligence allies -- Britain, Australia, Canada and New Zealand.

More than 1,000 distinct "minimization" terms appear in the files, attempting to mask the identities of "possible," "potential" and "probable" U.S. persons, along with the names of U.S. beverage companies, universities, fast-food chains and Web mail hosts.

Some of them use titles that could apply to only one man. A "minimized U.S. president-elect" begins to appear in the files in early 2009, and references to the current "minimized U.S. president" appear 1,227 times in the next four years.

Even so, unmasked identities remain in the agency's files, and the agency's policy is to hold on to "incidentally" collected U.S. content, even if it does not appear to contain foreign intelligence.

In their classified internal communications, colleagues and supervisors often remind the analysts that Prism and Upstream collection have a "lower threshold for foreignness 'standard of proof' " than a traditional surveillance warrant from a surveillance court judge, requiring only a "reasonable belief" and not probable cause.

One analyst rests her claim that a target is foreign on the fact that his emails are written in a foreign language. Others are allowed to presume that anyone on the chat "buddy list" of a known foreign national is also foreign.

In an ordinary surveillance application, the judge grants a warrant and requires a fresh review of probable cause -- and the content of collected surveillance -- every 90 days. When renewal fails, the agency and analysts sometimes switch to the more lenient standards of Prism and Upstream, records show.

"These selectors were previously under FISA warrant but the warrants have expired," one analyst writes, requesting that surveillance resume under the looser standards of Section 702. The request was granted.

Information for this article was contributed by Jennifer Jenkins and Carol D. Leonnig of The Washington Post.

A Section on 07/06/2014

Upcoming Events